Using WinSCP in against Clustered servers

I have a problem, which we're trying to resolve.

I have a server, running the OpenSSH daemon (sshd) in an unix environment. My server is actually a three-node cluster. This means I have a hostnanme (Digiport), which points to one of three active servers. To the remote client, the Digiport cluster is the only hostname they know. They may actually point to either digiport1, digiport2 or digiport3, each with its own "hostkey". The problem the clients experience, is if their key was initialized on digiport1, and we failover to digiport3, the users get an error, that warns them of the different key for digiport.

Manually you can accept the new key, and assume the risk yourself. The developers of the application using WinSCP to SFTP to the digiport server, wants to automate this, and assume the risk for DIGIPORT, as this is all "scripted" behind the scenes. The users are not aware of the technical process, and shouldn't have to acknowledge anything. There is security document that explains the technical portion, but the users do not need to be part of the process.

The question:

How can the user have three seperate keys for one set of clustered servers? Or:
How can the script automatically accept the new key, without being prompted?

Please advise soonest to:

leonhark@stratcom.mil or
(402) 232-4971.

Thanks,

Kevin S. Leonhardt

leonhardtk wrote:

How can the user have three seperate keys for one set of clustered servers?

Not yet, but it is on TODO list.

How can the script automatically accept the new key, without being prompted?

You cannot. And it is not planned as it is not a good idea at all.

How can the script automatically accept the new key, without being prompted?

You cannot. And it is not planned as it is not a good idea at all.

I certainly understand the "risks", especially with spoofing, etc. I guess I wanted an "easy" fix, as we are on a classified, "low" risk network. In this environment, we can accept more risk, than say on the Unclassified environment. On the other hand, if we invalid all the built-in security, why bother with SSH? Point taken.

Do you have an estimated time-frame, version you expect the "clustered environment" will be incorporated?

Thanks for your assistance,

Kevin S. Leonhardt

leonhardtk wrote:

Do you have an estimated time-frame, version you expect the "clustered environment" will be incorporated?

Sorry, I would not dare to give any schedule :-(

This feature has been implemented already. It will be included into the next major release.

How can I have three seperate keys for one set of clustered servers?

Is it possible with the current WinScp version?

tong wrote:

How can I have three seperate keys for one set of clustered servers?

Is it possible with the current WinScp version?

Yes.