[Info-vax] SSH mysteriously stops working
Joseph Huber
joseph.huber at NOREPLY.web.de
Fri May 20 02:35:48 EDT 2011
Phillip Helbig---undress to reply wrote:
> In article <d949a$4dd4b9cb$82a13c9d$20341 at news1.tudelft.nl>, JOUKJ
> <joukj at hrem.nano.tudelft.nl> writes:
>
>> Did you also try with a "just-created" account which was not used for
>> ssh at all before the test?
>
> Not yet. Maybe I'll have to. Here is the message I get when trying to
> get in from outside. (Contrary to what I mentioned before, OUTGOING
> access seems OK.)
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> The DSA host key for multivax.de has changed,
[snip] ...
> Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this
> message.
> Offending key in /home/foobar/.ssh/known_hosts:1
> DSA host key for multivax.de has changed and you have requested strict
> checking.
> Host key verification failed.
>
> Note that a) I have an IP address which changes usually once a day and
> b) whatever node has the cluster IP address will respond to the incoming
> request. Both the IP address and also the node with the cluster alias
> have changed in the past. SSH probably wasn't meant for this sort of
> setup. Could the problem be that the IP address and the cluster-alias
> node changed at the same time?
I think that's the usual consequence of a key change. Just follow the advice
to delete the offending key, then the new one will be stored at the next
login, I never had a problem afterwards.
And the problem of cluster alias and changing IP address: that should be no
problem, the host keys are stored with the host's domain name (if
available).
But of course all nodes participating in a cluster alias should have the
same hostkey. Well, different systems/ssh versions seem to behave different:
on my desktop Linux I see mostly IP addresses, but a few domain names. On
VMS (TCPIP 5.4) is see mostly domain names.
So having a common hostkey in a cluster is probably the safe way.
--
Remove NOREPLY. from Email address.
Joseph Huber, http://www.huber-joseph.de
More information about the Info-vax
mailing list