blog

Sometimes it's neccessary to ssh to an IP which may have alternating servers behind it, for example when two systems are sharing an IP using keepalived. Usually, when ssh, upon connecting, encounters some other fingerprint than the one it has stored in ~/.ssh/.known_hosts, it will just exit with a corresponding warning. Instead of turning it off, it's better to store all valid fingerprints for the remote, shared IP in the corresponding Host entry in ~/.ssh/config, which, luckily, is perfectly valid spec-wise.

There's a tool named ssh-keyscan which will provide the public SSH host keys from remote hosts. Using this makes creating the required entries in .ssh/known_host quite simple: Assuming the public fingerprints from 192.0.2.20, .21 and .22 should be stored for a shared IP 192.168.2.10, the following loop should suffice:

for IP in 192.0.2.20 192.0.2.21 192.0.2.22
do
  ssh-keyscan ${IP} 2>/dev/null | sed "s/^${IP}/192.0.2.10/"
done