Reuse primary host key on secondaries
During a DR scenario, the sysadmin will make a secondary the primary, and will point the primary URL to that node. Currently, all SSH requests to the new primary will fail with the following error until they delete the old primary key from known_hosts:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for mike-demo-1.gogitlab.com has changed,
and the key for the corresponding IP address 35.198.120.196
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /Users/monozok/.ssh/known_hosts:237
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:KfWVHaRjiGRypNztm/8oYzKDAGZqNCCsN+6GYs/BLg8.
Please contact your system administrator.
Add correct host key in /Users/monozok/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/monozok/.ssh/known_hosts:238
ECDSA host key for mike-demo-1.gogitlab.com has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
This is a bad experience.
We can avoid this by either:
- Automatically copying the primary host key to the secondary (I don't know if this is reasonable/feasible or not).
- Or by adding instructions to copy the host key to the secondary during Geo setup.