Thank you Alexander (and Johan) for confirming what I kinda suspected -- use shared keys if it is a published (ie. failover required) service, otherwise bind only to dedicated address(es) using dedicated keys.
On 30 Jan 2013 at 18:33, Alexander Hall wrote: > On 01/30/13 17:56, System Administrator wrote: > > I finally got to deploy a CARP firewall cluster (HA failover for now). > > Using only the official OpenBSD.org documentation, everything went very > > smoothly even though the setup is not quite trivial (14 carp addresses > > on 6 active interfaces). I even got system replication going using > > rdist(1). > > > > While testing the failover and trying to ssh to a carp address I got > > hit with the server key mismatch; hence this email. What is considered > > best practice wrt ssh keys in a carp cluster -- install the same keys > > on all member nodes to avoid the alerts or just live with the > > occasional mismatch? > > Is the ssh service one of the failover'able services? > > If it is, I believe it makes sense to share the keys (that's what I do > anyway), alternatively you could have a second sshd configured with a > shared HostKey. > > If it is not, I'd suggest letting sshd listen only on the host address > and not on the carp address. > > /Alexander
