We have a setup with 2 Redhat-based servers which are both ha hosts behind a virtual ip.
- 192.168.0.3 dataserver (virtual ip)
- 192.168.0.1 dataserver_ha1 (physical server)
- 192.168.0.2 dataserver_ha2 (physical server)
using drdb and heartbeat it is setup to run one host as a primary host and the other in a standby state. If the primary fails than the standby server become primary and takes over…
Very standard in that regard.
our log processing server (etl_server) sshes to dataserver and runs hourly processes.
We use ssh_keys to connect (though that is not important info for this).
When dataserver_ha1 fails over to ha2, etl_server can no longer connect due to the man-in-the-middle warning about changed host keys.
AFAIK there are a few things I could do:
1) turn strict checking off on the ssh clients (dont want to do that)
2) add entries fro both physical host keys in authorized_keys file on the client
3) mirror all the /etc/sshd/hosts* files
But I feel like I should be able to tell the hosts to inform the ssh client request that one of two permissible host keys could possibly be used. When I get a little time I will test this out using VirtualBox or something. In the meantime I am looking in the wrong places for info on this…
Best Answer
Use the same private keys on your two dataservers.
From the primary...
scp /etc/ssh/*key* dataserver_ha2:/etc/ssh/
Following that, restart the ssh daemon on dataserver_ha2 with
service sshd restart
.That will take care of your host identity issues in the quickest, cleanest way.