LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   ssh tunnelling to multiple destinations - how to handle changing server key ? (https://www.linuxquestions.org/questions/linux-networking-3/ssh-tunnelling-to-multiple-destinations-how-to-handle-changing-server-key-4175426828/)

kubuntu-man 09-12-2012 04:38 AM
ssh tunnelling to multiple destinations - how to handle changing server key ?
 
Hello there,

I need to connect to multiple destination hosts within a remote network through one gateway - preferably at the same time.

So far, I needed only one destination. I did something like:
Code:
ssh -L 2221:host1:22 user@gateway.remotenetwork.de
for opening the tunnel and
Code:
ssh -p 2221 user@localhost
for the login. That worked well.

Now , with three target hosts, I thought I could do something like
Code:
ssh -L 2221:host1:22 -L 2222:host2:22 -L 2223:host3:22 user@gateway.remotenetwork.de
for opening the tunnel and one of
Code:
ssh -p 2221 user@localhost
ssh -p 2222 user@localhost
ssh -p 2223 user@localhost
for the login. But this does not work.

The problem is that host1, host2, host3 have different host keys (and I can not change that), but appear to be the same host to the ssh client due to the @localhost part of the ssh command.

So, to access host1, host2, host3 one after another, I could switch the ~/.ssh/known_hosts file.
But that would be cumbersome and would not allow me to access all three destinatons at the same time.

I can not open several ssh connections to the gateway and from there, log in to the three destinations, because login via ssh is not the only thing I need to do. I also need to do scp, sshfs, and ssh-git, therefore I need a tunneled (but direct from the client's point of view) access to all three destination hosts.

Is there a way to make ssh client distinguish these three destinations (by the local port or so) ?
Or is there a way to choose a different .ssh directory or known_hosts file for each ssh invocation (without creating multiple users locally) ?
Or something else ?

Thanks in advance,
Kubuntu-man - now using XFCE :-)

acid_kewpie 09-12-2012 04:41 AM
check out the ProxyCommand for ssh_config, that's a much nicer way to do what you want. Took me years to discover it, big forehead slap when I read about it.

Reuti 09-13-2012 11:31 AM
You can put something like:
Code:
Host *
    NoHostAuthenticationForLocalhost yes
~/.ssh/config file.

acid_kewpie 09-13-2012 11:44 AM
Quote:
Originally Posted by Reuti (Post 4779543)
You can put something like:
Code:
Host *
    NoHostAuthenticationForLocalhost yes
~/.ssh/config file.
It works, but it's a bit hacky, no?

Reuti 09-13-2012 12:23 PM
Most of the time I use it to connect to machines which can’t be reached directly from the Internet and trust the infrastructure behind the firewall.

acid_kewpie 09-13-2012 02:03 PM
sure, but ProxyCommand is even more suitable for that.

kubuntu-man 09-17-2012 08:40 AM
Thanks a lot, the ProxyCommand did the job for me too. I needed to search the web for examples to get it working, but now it's fine.

For anyone having the same problem (and finding this thread), here's my ~/.ssh/config:
Code:
Protocol=2
ServerAliveInterval=120

Host gateway
        HostName gateway.remotenetwork.de
        Port 22
        User user

Host host1 host2 host3
        ProxyCommand ssh -q -a -x gateway netcat %h 22
Sometimes, netcat is just nc

acid_kewpie 09-17-2012 09:52 AM
I'll add on here something can be useful at times. On modern versions of bash, you should have access to /dev/tcp. This can be used to not even require netcat:

Code:
ProxyCommand ssh gatewayserver 'exec 3<>/dev/tcp/%h/22; cat <&3 & cat >&3;kill $!'
it's certainly much more confusing that netcat, but it's pure bash, so when you're already in a world of dog legging tcp connections aroudn your environment, not having the right tools to do it is very understandable...


All times are GMT -5. The time now is 05:53 PM.