ohico Absent Member.
Absent Member.
1910 views

NCS NSS pool resource has new ssh key whenever it's migrated

We have an OES11SP3 NCS cluster and an application that needs to connect using SFTP.

They connect to the NSS pool resource's IP address and need to trust the assign ssh key.

The problem is that the key is never the same after a resource migration. We're wondering it it's possible for the server to keep the same ssh key (at least per node)?
I understand if it can't be the same across NCS nodes but having it remain the same on each node would solve our problem.

Thanks,
Marc
Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: NCS NSS pool resource has new ssh key whenever it's migr

ohico;2428105 wrote:
We have an OES11SP3 NCS cluster and an application that needs to connect using SFTP.

They connect to the NSS pool resource's IP address and need to trust the assign ssh key.

The problem is that the key is never the same after a resource migration. We're wondering it it's possible for the server to keep the same ssh key (at least per node)?
I understand if it can't be the same across NCS nodes but having it remain the same on each node would solve our problem.

Thanks,
Marc


I would expect this to be functioning as normal in that the SSH key is based upon the physical node that the clustered resource is running on.

So if you have 10 physical servers, and the clustered resource can live on 3 of those nodes, then you will have 3 different SSH keys.

The only way I'm aware of:

a) Make the clustered resource only be able to reside on one node (but that totally defeats the purpose of the clustering software, IMO)
b) See if there's a native way in SLES to have/use the same SSH key on the multiple physical nodes that can host the resource.

"b" should really have nothing to do with the clustering/OES software per se, but rather it's a basic SLES question (IMO). I just don't know if it can be done (or if it can, how to do that).

I'm fairly certain it *can* technically be done, just don't know how.

--Kevin
0 Likes
ohico Absent Member.
Absent Member.

Re: NCS NSS pool resource has new ssh key whenever it's migr

Thanks for answering but I guess I didn't explain properly that the SSH key is always different.

It would be great if it was at least always the same for node1 and always the same for node2, etc.... Then we'd only need to configure the connecting system to know and trust the keys for each node.

The problem today is that on every migration you get a brand new key.

Thanks,
Marc
0 Likes
ohico Absent Member.
Absent Member.

Re: NCS NSS pool resource has new ssh key whenever it's migr

I believe I was mistaken, the ssh key does remain the same on each node.

What was happening is the connecting system would not allow adding a new "known_hosts" entry for the same server/IP (ie. the NCS resource).
I was able manually add a second entry in the .sss/known_hosts file and it works. So the "known_hosts" file ends up with 2 entries for the same host (name/IP) but with different keys.

Thanks,
Marc
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NCS NSS pool resource has new ssh key whenever it's migrated

ohico wrote:
>
> We have an OES11SP3 NCS cluster and an application that needs to connect
> using SFTP.
>
> They connect to the NSS pool resource's IP address and need to trust the
> assign ssh key.
>
> The problem is that the key is never the same after a resource
> migration. We're wondering it it's possible for the server to keep the
> same ssh key (at least per node)?
> I understand if it can't be the same across NCS nodes but having it
> remain the same on each node would solve our problem.


I resolved this for me by starting a second ssh server with it's own key
using the cluster load script. Something like:

exit_on_error /usr/sbin/sshd -f /etc/ssh/sshd_conf_cluster -o
PidFile=/var/run/sshd.cluster.pid

The configuration file specifies the key for this instance of sshd. So
users can connect to IP of the cluster ressource wihtout getting a
warning about changing host keys after every migration event.

In order to avoid conflicts with the sshd already running on the host
the following entries were necessary:

Port 16666 # any port other than 22 used by the host sshd
ListenAddress 192.168.33.44 # the IP of the cluster ressource
HostKey /etc/ssh/ssh_cluster_rsa

Günther
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.