SSH to 1 server from 2 different servers which have same hostname [closed]
There is 2 servers for production and DR. Both servers are RHEL 7 and same spec.
Both have same host name and different IP address. We need to connect to same outside servers over SSH without password.
When we tried to connect from DR server, it showed warning with message as below.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). fromserver:user1$ ssh user2@dest-server @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The ECDSA host key for dest-server has changed, and the key for the corresponding IP address 10.126.**.** is unchanged. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. Offending key for IP in /home/user1/.ssh/known_hosts:111 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:***********************************************. Please contact your system administrator. Add correct host key in in /home/user1/.ssh/known_hosts to get rid of this message. Offending ED25519 key in in /home/user1/.ssh/known_hosts:111 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. *********************************************************************
My question is how I can avoid this message and enable ssh login without password. Is it possible avoid this message?
Have different host names in DNS for administrative functions including ssh. Making up my own example, thingprod1.example.net
and thingprod2.example.net
, with thingprod.example.net
as a service address pointing the active side. Sysadmins use the host name, user applications use the service address.
ssh's DNS spoofing and host key change warnings are security features to detect interception of ssh traffic. They rely on the host key remaining the same for a name and IP.