On 01/30/13 17:56, System Administrator wrote:
I finally got to deploy a CARP firewall cluster (HA failover for now).
Using only the official OpenBSD.org documentation, everything went very
smoothly even though the setup is not quite trivial (14 carp addresses
on 6 active interfaces). I even got system replication going using
rdist(1).
While testing the failover and trying to ssh to a carp address I got
hit with the server key mismatch; hence this email. What is considered
best practice wrt ssh keys in a carp cluster -- install the same keys
on all member nodes to avoid the alerts or just live with the
occasional mismatch?
Is the ssh service one of the failover'able services?
If it is, I believe it makes sense to share the keys (that's what I do
anyway), alternatively you could have a second sshd configured with a
shared HostKey.
If it is not, I'd suggest letting sshd listen only on the host address
and not on the carp address.
/Alexander
