Hello,
We are trying to SFTP to a VIPA address which is the cluster address of several hosts and we are getting the following results :
1.First attempt to the VIPA address works - HOSTA A chosen
2.Second attempt fails. This is because HOST B is chosen and the id is different.Partial output from the trace :
debug3: check_host_in_hostfile: filename /u/tsghos/.ssh/known_hosts
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat
@ FOTS1317 WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Is it possible to SFTP to a VIPA address that routes the sessions to several hosts that sit behind the address ?
We use the following option : ssh_opts="£ssh_opts -oStrictHostKeyChecking=no"
We are using Password Authentication .
Regards
Hanif Osman
SFTP TO VIPA-(CLUSTERED HOSTS)
Re: SFTP TO VIPA-(CLUSTERED HOSTS)
If you have a cluster of hosts each running a SSHD server from a VIPA, then they must all use the same matching host key pairs.
So, for example, if you are running OpenSSH on these servers, then the keys pointed to by "HostKey" in /etc/ssh/sshd_config must match.
This is because the client will get a random server from the VIPA, and the client will check the server's host key to see that it is as expected - so all of the sshd servers behind the VIPA must use the same host keys.
Unless you have changed the default file names, these files are named:
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa.key.pub
It is also possible to run two instances of sshd on each of these servers - one to service the individual server and one to serve the vipa. These would need to run either on different ports or on different network interfaces. Each sshd daemon would point to a different sshd_config file (using the -F option when starting sshd). Each sshd_config file could point to different sets of host keys.
For more information on OpenSSH Host key authentication, see our webinar: "IBM Ported Tools for z/OS: OpenSSH - Key Authentication" here: http://dovetail.com/webinars.html
So, for example, if you are running OpenSSH on these servers, then the keys pointed to by "HostKey" in /etc/ssh/sshd_config must match.
This is because the client will get a random server from the VIPA, and the client will check the server's host key to see that it is as expected - so all of the sshd servers behind the VIPA must use the same host keys.
Unless you have changed the default file names, these files are named:
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa.key.pub
It is also possible to run two instances of sshd on each of these servers - one to service the individual server and one to serve the vipa. These would need to run either on different ports or on different network interfaces. Each sshd daemon would point to a different sshd_config file (using the -F option when starting sshd). Each sshd_config file could point to different sets of host keys.
For more information on OpenSSH Host key authentication, see our webinar: "IBM Ported Tools for z/OS: OpenSSH - Key Authentication" here: http://dovetail.com/webinars.html
Re: SFTP TO VIPA-(CLUSTERED HOSTS)
Hello,
Thank you very much for the prompt update.
Regards
Thank you very much for the prompt update.
Regards
Re: SFTP TO VIPA-(CLUSTERED HOSTS)
instead of cut and paste if you need to add a key to the known hostst you can FTP it with certain options
save the key as .txt
save to a drive on your pc
ftp in ascii to IBM
quote site lrecl=600 - otherwise the site's default lrecl in ftpdata may be 256 or similar and too small so truncating the key
quote site sbsendeol=none
this stops carriage return line feeds messing up the key
then ftp the key.txt to either 'data.set' or /u/userid/.ssh/knownhosts
save the key as .txt
save to a drive on your pc
ftp in ascii to IBM
quote site lrecl=600 - otherwise the site's default lrecl in ftpdata may be 256 or similar and too small so truncating the key
quote site sbsendeol=none
this stops carriage return line feeds messing up the key
then ftp the key.txt to either 'data.set' or /u/userid/.ssh/knownhosts
Re: SFTP TO VIPA-(CLUSTERED HOSTS)
A fast (and of course very unsecure 
) way to solve the problem with different SSHD server keys of VIPA clustered servers is to use the following parameter setting:
) way to solve the problem with different SSHD server keys of VIPA clustered servers is to use the following parameter setting:
Code: Select all
ssh-options=-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null