SSH warnings when working with multiple stacks
Table of Contents
If you have multiple separate stacks with Sonassi, you will find that connecting to different stacks and accessing SSH is going to trigger a warning,
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
This is caused by the fact all MageStack stacks use the same internal hostnames and IP addresses. So regardless of the stack you've connected to, the access server is always going to be available at acc.magestack.com
(causing a known_host
error).
There are a number of ways this can be overcome, there is no "best" solution, so evaluate which suits your needs best.
On Windows
The simplest way to address this is to create separate HOSTS entries for each stack you are connecting to, and map them to the same IP,
172.16.0.61 my-customer-1
172.16.0.61 my-customer-2
172.16.0.61 my-customer-3
Then in your SSH/SCP/SFTP connection, just set the hostname as the respective name you've defined above.
On Linux
Security policies on Linux are a little stricter, so a HOSTS override won't work, so the techniques required are a little more advanced. Here are a few possible solutions, listed in order of best to worst.
Disable host checking for your user
Create a new file, ~/.ssh/config
and define the following,
Host acc.magestack.com
HostName acc.magestack.com
CheckHostIP no
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Disable host checking for all users
In /etc/ssh/ssh_config
, define the following,
Host acc.magestack.com
HostName acc.magestack.com
CheckHostIP no
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Scan hosts on connect
In your OpenVPN configuration file (usually /etc/openvpn/dhX.cX.sonassihosting.com.conf
), add the following two arguments,
script-security 2
up /usr/local/bin/rescan-acc.sh
Then create /usr/local/bin/rescan-acc.sh
with the following contents, edit _HOME
as necessary
#!/bin/bash
exit 0
(
# Change _HOME to suit your own home directory
_HOME=/root
_MAX_RETRIES=10
# Wait for routes to come up
while ! route -n | grep -q 172.16.0.0; do
[ $_MAX_RETRIES -eq 0 ] && exit 1
sleep 1
_MAX_RETRIES=$(( _MAX_RETRIES - 1 ))
done
ssh-keygen -R acc.magestack.com
ssh-keygen -R 172.16.0.61
ssh-keyscan -H acc.magestack.com >> $_HOME/.ssh/known_hosts
ssh-keyscan -t ecdsa -H acc.magestack.com >> $_HOME/.ssh/known_hosts
) >/dev/null 2>&1 &
Finally make the script executable,
chmod +x /usr/local/bin/rescan-acc.sh
This script will be executed when the VPN connects, but prior to the routes being brought up. So it backgrounds itself and waits for the routes to become available. As soon as they are, it clears the old known host - and scans/updates it.