On Wed, Jan 30, 2013 at 2:03 PM, Jiri B <ji...@devio.us> wrote: > On Wed, Jan 30, 2013 at 09:29:42AM -0800, Johan Beisser wrote: >> Don't monitor SSH on the CARP address. > > Doesn't it depend on the purpose of this SSH service? > If it is to manage individual boxes, then sshd should not listen > on CARP ip address.
Maybe. Or, perhaps you have a pool of servers that are essentially identical, and the failover service runs over SSH. In that case, having identical host keys would clear up that specific error. But, if a host fails out of the pool, you may not know right away. > If it is authentication for external users like authpf, > file uploads, I would create another sshd instance which would > flow between boxes sharing same key, still keeping individual > sshd for each box. We were doing this for a file upload cluster, > though that was not OpenBSD but the issue about the key and "virtual" > ip is the same. Yes. I covered that in a later email. But, that's defined by the function you're trying to use. The orginal complaint was "I'm sshing in to the CARP address, and the host keys keep changing making SSH throw an error." Like any doctor who gets a complaint of "it hurts when I do this!", the first answer is "well, don't do that." Until you get more information, and can actually help the person out.
