SSH warnings when working with multiple stacks

By 6th May 2016June 9th, 2017No Comments

If you have multiple separate stacks with Sonassi, you will find that connecting to different stacks and accessing SSH is going to trigger a warning,


This is caused by the fact all MageStack stacks use the same internal hostnames and IP addresses. So regardless of the stack you've connected to, the access server is always going to be available at (causing a known_host error).

There are a number of ways this can be overcome, there is no "best" solution, so evaluate which suits your needs best.

On Windows

The simplest way to address this is to create separate HOSTS entries for each stack you are connecting to, and map them to the same IP,  my-customer-1  my-customer-2  my-customer-3

Then in your SSH/SCP/SFTP connection, just set the hostname as the respective name you've defined above.

On Linux

Security policies on Linux are a little stricter, so a HOSTS override won't work, so the techniques required are a little more advanced. Here are a few possible solutions, listed in order of best to worst.

Disable host checking for your user

Create a new file, ~/.ssh/config and define the following,

  CheckHostIP no
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Disable host checking for all users

In /etc/ssh/ssh_config, define the following,

  CheckHostIP no
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Scan hosts on connect

In your OpenVPN configuration file (usually /etc/openvpn/, add the following two arguments,

script-security 2
up /usr/local/bin/

Then create /usr/local/bin/ with the following contents, edit _HOME as necessary


exit 0

  # Change _HOME to suit your own home directory

  # Wait for routes to come up

  while ! route -n | grep -q; do
    [ $_MAX_RETRIES -eq 0 ] && exit 1
    sleep 1
    _MAX_RETRIES=$(( _MAX_RETRIES - 1 ))

  ssh-keygen -R
  ssh-keygen -R
  ssh-keyscan -H >> $_HOME/.ssh/known_hosts
  ssh-keyscan -t ecdsa -H >> $_HOME/.ssh/known_hosts

) >/dev/null 2>&1 &

Finally make the script executable,

chmod +x /usr/local/bin/

This script will be executed when the VPN connects, but prior to the routes being brought up. So it backgrounds itself and waits for the routes to become available. As soon as they are, it clears the old known host - and scans/updates it.