Hi,

I have 2 ssh servers behind a router. One is a web server and the other is a desktop.

I'm slowly migrating to Mandrake 10.1 on my laptop and I'm away from my lan. In windows, I ssh/sftp to both of the computers; each ssh server listen on a (different) non standard port.

In linux, the host is identified with its key, saved in ~/.ssh/known_host. I connect to the web server and everything is fine. But when I connect to the desktop, I get
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
and I can't connect.

How can I put 2 ids for the same IP/hostname in known_host???

Also, is it more or less secure to open sshd on another port than 22?

Thank you very much.

Ehhh... how are you trying to connect to these daemons? You can't have both systems with the same host name or both systems with the same IP address, so I'm a bit confused. That's a matter of opinion. On the one hand, running sshd on a non-standard port will (usually) prevent attacks from script kiddies who only look on port 22. On the other hand, your system is only as secure as you make it, so if you do something stupid with the sshd config, it won't be secure no matter what port it listens on.

Hi,

thanks for the quick response.

Sorry if I sounded confusing with the 2 host things...

I'll explain a bit more...

2 computers are behind a router: so they have the same external ip. I need to ssh to both of them from a remote location. To distinguish the 2, I run them on different port. So to connect to the first I do:
ssh <external ip> -p 22
and for the second computer I do
ssh <external ip> -p 23
(22 and 23 are not the real ports)

but when I ssh using the first port, it adds a key to know_host. So when I try to connect to the second computer using another port but the same ip, ssh thinks that the host had changed its key...

I would like to add to know_host the key of both servers, witch are located at the same ip address but on different ports...

I hope it is more clear...

thanks

Have you tried connecting by hostname, rather than by IP? For example, you could add the following to the /etc/hosts file of your laptop:replacing the 111.222.333.444 with your external IP, and WebServerHostname and DesktopHostname with the approriate hostnames.

Then use the commands:

ssh user@WebServerHostname -p 22
ssh user@DesktopHostname -p 23

to connect to the respective machines. This should identify the machines by their hostnames, rather than by IP, in your known_hosts file.

If this doesn't work, then you might consider only ssh'ing from outside the LAN into one of the machines, then ssh from that machine to the other, using it's internal IP.

Enjoy!
--- Cerbere

Thanks for the response.

What I did was to install keychain to indentify with keys, and I now use putty to ssh. PuTTY will ask you the question if you want to update the fingerprint...

Thanks again

You must be very, very careful how you approve updating the host keys because there are known exploits around for SSH session hijacking. There are even some utilities that will generate phoney host keys with the first few and last few octets that match. Unless you check every single octet against what you know is correct, you could be falling into a trap.

Hum...

With your recomendation, I think I know what I'll do...

I have 2 dyndns.org hostnames. So I'll use them seperatly. I think I used only one of them for both computers, issuing the fingerprint question. Now I'll try to use unique hostname for both computers...

Thanks for the recommendation.