I frequently use ssh tunnels to create access to remote hosts through otherwise blocked channels. This scenario involves 4 or more hosts:
1. The local host, at which console I am sitting.
2. A gateway host, through which I will tunnel connections.
3, 4, ... Two or more remote hosts, behind the gateway host, to which I wish to connect.
On the local host, I establish two tunnels, like so:
Code:
ssh -L 22001:remote1:22 -L 22002:remote2:22 gateway.remote.site
Now, in a separate session on my local host, I can connect to remote1 through the tunnel, like so:
Code:
ssh -p 22001 localhost
Nothing new here, everything works fine.
Now, in yet another session on the local host, I want to create a connection to remote2:
Code:
ssh -p 22002 localhost
Since
ssh sees this as the same host (localhost) as the connection to remote1, I get the unfriendly:
Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
01:24:95:fb:f5:92:3d:4e:de:bd:4b:57:e8:23:15:cd.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:39
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
It is easy enough to quickly edit
~/.ssh/known_hosts, to get rid of the message and retry the connection, but this seems both cumbersome and somewhat insecure. What, if anything, can I do to get around this situation?
--- rod.
