LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-11-2006, 02:36 PM   #16
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Original Poster
Rep: Reputation: 49

That's a great solution, Lotharster. But IMHO, since it probably is pretty common that you ssh into many machines sharing the same IP it gotta be possible to rewrite ssh to store fingerprints using an ip/port-combination as the unique identifier instead of just ip as it is now. Or are there any security-reasons against making ssh "nat-aware" that I am missing.

Again, thanks for your workaround.
 
Old 09-12-2006, 04:38 PM   #17
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 15
Just mail the ssh developers and ask them about that. As far as I know, that should not be a security risk. But I'm no expert there.
 
Old 09-12-2006, 08:19 PM   #18
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Original Poster
Rep: Reputation: 49
Yeah I guess I could do that. But I am surprised that they haven't already done it, if there isn't a big reason why not to. But it won't hurt to ask. :)
 
Old 10-09-2006, 09:16 AM   #19
Arne de Bruijn
LQ Newbie
 
Registered: Oct 2006
Posts: 1

Rep: Reputation: 0
There is another solution with the HostKeyAlias and CheckHostIP config keywords.

If you have in your ~/.ssh/config file the lines:
Code:
Host A
  HostName gateway.example.com
  Port 2201
  HostKeyAlias A
  CheckHostIP no
Host B
  HostName gateway.example.com
  Port 2202
  HostKeyAlias B
  CheckHostIP no
the host key fingerprint will be stored under the name specified with HostKeyAlias (A/B), so you can use ssh A and ssh B without conflicts.
 
Old 02-26-2008, 06:03 AM   #20
gilles_lamiral
LQ Newbie
 
Registered: Feb 2008
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by Ephracis View Post
Hi,

I have a network with several clients running sshd. I have different port pointing to each client to port 22. I was just wondering if there is any way to cope with the hazzle of rsa key fingerprint in this situation. Whenever I from the outside ssh to a different machine within the network I have to manually remove ~/.ssh/known_hosts before sshing to the client behind the firewall.

Any ideas?
Assuming ports 22221, 22222, etc., are redirected to several different hosts:

ssh-keyscan -t rsa -p 22221 host.foo.com >> ~/.ssh/known_hosts
ssh-keyscan -t rsa -p 22222 host.foo.com >> ~/.ssh/known_hosts
ssh-keyscan -t rsa -p 22223 host.foo.com >> ~/.ssh/known_hosts
etc.

I had this problem this morning and decided to solve it, I found this old discussion. It's never too late too give the right answer :-)
 
  


Reply

Tags
ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
failed ssh RSA key authentication jdarren Linux - Networking 15 07-06-2008 10:25 AM
SSH RSA key problem taiwf Linux - General 3 05-21-2006 09:33 PM
ssh rsa key changed after upgrade itsjustme Linux - General 11 11-06-2003 09:12 AM
ssh RSA key thanat0s Linux - Security 3 09-29-2003 09:51 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 05:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration