On Wed, Jan 30, 2013 at 09:29:42AM -0800, Johan Beisser wrote: > On Wed, Jan 30, 2013 at 8:56 AM, System Administrator <ad...@bitwise.net> > wrote: > > I finally got to deploy a CARP firewall cluster (HA failover for now). > > Using only the official OpenBSD.org documentation, everything went very > > smoothly even though the setup is not quite trivial (14 carp addresses > > on 6 active interfaces). I even got system replication going using > > rdist(1). > > > > While testing the failover and trying to ssh to a carp address I got > > hit with the server key mismatch; hence this email. What is considered > > best practice wrt ssh keys in a carp cluster -- install the same keys > > on all member nodes to avoid the alerts or just live with the > > occasional mismatch? > > Don't monitor SSH on the CARP address.
Doesn't it depend on the purpose of this SSH service? If it is to manage individual boxes, then sshd should not listen on CARP ip address. If it is authentication for external users like authpf, file uploads, I would create another sshd instance which would flow between boxes sharing same key, still keeping individual sshd for each box. We were doing this for a file upload cluster, though that was not OpenBSD but the issue about the key and "virtual" ip is the same. jirib
