-   Linux - Networking (
-   -   ssh tunnelling to multiple destinations - how to handle changing server key ? (

kubuntu-man 09-12-2012 04:38 AM

ssh tunnelling to multiple destinations - how to handle changing server key ?
Hello there,

I need to connect to multiple destination hosts within a remote network through one gateway - preferably at the same time.

So far, I needed only one destination. I did something like:

ssh -L 2221:host1:22
for opening the tunnel and

ssh -p 2221 user@localhost
for the login. That worked well.

Now , with three target hosts, I thought I could do something like

ssh -L 2221:host1:22 -L 2222:host2:22 -L 2223:host3:22
for opening the tunnel and one of

ssh -p 2221 user@localhost
ssh -p 2222 user@localhost
ssh -p 2223 user@localhost

for the login. But this does not work.

The problem is that host1, host2, host3 have different host keys (and I can not change that), but appear to be the same host to the ssh client due to the @localhost part of the ssh command.

So, to access host1, host2, host3 one after another, I could switch the ~/.ssh/known_hosts file.
But that would be cumbersome and would not allow me to access all three destinatons at the same time.

I can not open several ssh connections to the gateway and from there, log in to the three destinations, because login via ssh is not the only thing I need to do. I also need to do scp, sshfs, and ssh-git, therefore I need a tunneled (but direct from the client's point of view) access to all three destination hosts.

Is there a way to make ssh client distinguish these three destinations (by the local port or so) ?
Or is there a way to choose a different .ssh directory or known_hosts file for each ssh invocation (without creating multiple users locally) ?
Or something else ?

Thanks in advance,
Kubuntu-man - now using XFCE :-)

acid_kewpie 09-12-2012 04:41 AM

check out the ProxyCommand for ssh_config, that's a much nicer way to do what you want. Took me years to discover it, big forehead slap when I read about it.

Reuti 09-13-2012 11:31 AM

You can put something like:

Host *
    NoHostAuthenticationForLocalhost yes

~/.ssh/config file.

acid_kewpie 09-13-2012 11:44 AM


Originally Posted by Reuti (Post 4779543)
You can put something like:

Host *
    NoHostAuthenticationForLocalhost yes

~/.ssh/config file.

It works, but it's a bit hacky, no?

Reuti 09-13-2012 12:23 PM

Most of the time I use it to connect to machines which canít be reached directly from the Internet and trust the infrastructure behind the firewall.

acid_kewpie 09-13-2012 02:03 PM

sure, but ProxyCommand is even more suitable for that.

kubuntu-man 09-17-2012 08:40 AM

Thanks a lot, the ProxyCommand did the job for me too. I needed to search the web for examples to get it working, but now it's fine.

For anyone having the same problem (and finding this thread), here's my ~/.ssh/config:


Host gateway
        Port 22
        User user

Host host1 host2 host3
        ProxyCommand ssh -q -a -x gateway netcat %h 22

Sometimes, netcat is just nc

acid_kewpie 09-17-2012 09:52 AM

I'll add on here something can be useful at times. On modern versions of bash, you should have access to /dev/tcp. This can be used to not even require netcat:


ProxyCommand ssh gatewayserver 'exec 3<>/dev/tcp/%h/22; cat <&3 & cat >&3;kill $!'
it's certainly much more confusing that netcat, but it's pure bash, so when you're already in a world of dog legging tcp connections aroudn your environment, not having the right tools to do it is very understandable...

All times are GMT -5. The time now is 03:09 PM.