ssh to multiple hosts behind remote nat

keex · 01-05-2006, 05:07 AM

hello,

I would like to log in into multiple machines behind the firewall of a remote site. that means, that I connect to a remote router on different ports, delegating me to a different host behind that remote router.
the problem is that each server behind the remote router has a different ssh host key and I get the message

Code:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
...

is there a way of avoiding checks against the known_hosts file for a particular site?

keex · 01-05-2006, 08:15 AM

I sort of solved it... three scripts are now taking care of it... cheap, but works..

bin/hos-server:

Code:

#!/bin/bash
KH=~/.ssh/known_hosts
cat ~/.ssh/HOS_server_hostkey >> $KH

bin/hos-qube:

Code:

#!/bin/bash
KH=~/.ssh/known_hosts
cat ~/.ssh/HOS_qube_hostkey >> $KH

bin/hos-reset:

Code:

#!/bin/bash
KH=~/.ssh/known_hosts
SERVERKEY_QUBE=$(cat ~/.ssh/HOS_qube_hostkey | cut -d" " -f3)
SERVERKEY_SERVER=$(cat ~/.ssh/HOS_server_hostkey | cut -d" " -f3)

cat $KH | grep -v $SERVERKEY_QUBE | grep -v $SERVERKEY_SERVER > ${KH}_TMP
mv ${KH}_TMP $KH

celejar · 01-05-2006, 09:16 AM

The ssh_known_hosts file can contain multiple lines with the same hostname, i.e. different keys for the same hostname.

From the sshd(8) man page:

Quote:

SSH_KNOWN_HOSTS FILE FORMAT

The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
public keys for all known hosts. The global file should be prepared by
the administrator (optional), and the per-user file is maintained auto-
matically: whenever the user connects from an unknown host its key is
added to the per-user file.

Each line in these files contains the following fields: hostnames, bits,
exponent, modulus, comment. The fields are separated by spaces.

<SNIP>

When performing host authentication, authentication is accepted if any
matching line has the proper key. It is thus permissible (but not recom-
mended) to have several lines or different host keys for the same names.

This will inevitably happen when short forms of host names from different
domains are put in the file. It is possible that the files contain con-
flicting information; authentication is accepted if valid information can
be found from either file.

keex · 01-05-2006, 10:34 AM

yeah!
cool, thanks... it works now.

I didn't think of looking up the ssh daemon manpage... I did look up ssh_config, though, but didn't ever find any hints to my problem.