search

darkoperator / Posh-SSH

PowerShell Module for automating tasks on remote systems using SSH
BSD 3-Clause "New" or "Revised" License
985 stars 227 forks source link

Trusted Host Keys - Storing multiple keys per host #167

Open bwright86 opened 7 years ago

bwright86 commented 7 years ago

looking to have the ability to have multiple entries for a single host.

I am a sys admin for some applications that are on clusters, with the application moving to 1 of multiple nodes. There is a VIP address to target the active node, and I prefer to jump directly to the node that is active for the application.

I can look to see if this is an easy update, and submit a PR for it. But I would like to hear of any issues or concerns before pursuing it.

darkoperator commented 7 years ago

The most straightforward solution here is just to use the same host keys for Linux. That is, pick one set of /etc/ssh/sshhost_key files and copy them over to the other Host. After all logically they are the same.

bwright86 commented 7 years ago

Your solution is a common scenery I have seen on some forums. The issue I see with that is if host keys are changed during maintenance, there would have to be a step in the process to recopy the key to the alternate nodes.

I also have server admins that are not willing to copy the keys between servers. So this solution would not work for my situation.

I do see that the ~/.ssh/known_hosts has the ability to store the same host name multiple times with different keys. This is the current solution I use with Cygwin for these clustered servers.

The solution I had in mind for the Posh-SSH module would be to use MultiString registry keys for the hostname, and store each learned host key as a seperate element in them. The Get-SSHTrustedHost would extract each individual fingerprint as a separate object that is returned. The Set-SSHTrustedHost would add additional fingerprints to the value, or create a new one for the host.

I will go ahead and submit a PR for the proposed solution, so you can look it over.

bwright86 commented 7 years ago

I have made the necessary changes to allow multiple keys to be tracked per host, there is a PR that can be reviewed, and if it looks good, can be merged.

ZiRoN321 commented 2 years ago

Has this been implemented in the JSON key store on v3.0.4? Can two keys be specified for the same host?

MVKozlov commented 2 years ago

No, this is not done, because the base library does not send all keys for verification, but only the first one

darkoperator commented 2 years ago

Max beat me to the reply :)