Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have 2 ssh servers behind a router. One is a web server and the other is a desktop.
I'm slowly migrating to Mandrake 10.1 on my laptop and I'm away from my lan. In windows, I ssh/sftp to both of the computers; each ssh server listen on a (different) non standard port.
In linux, the host is identified with its key, saved in ~/.ssh/known_host. I connect to the web server and everything is fine. But when I connect to the desktop, I get
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
Originally posted by big_gie How can I put 2 ids for the same IP/hostname in known_host???
Ehhh... how are you trying to connect to these daemons? You can't have both systems with the same host name or both systems with the same IP address, so I'm a bit confused.
Quote:
Originally posted by big_gie Also, is it more or less secure to open sshd on another port than 22?
That's a matter of opinion. On the one hand, running sshd on a non-standard port will (usually) prevent attacks from script kiddies who only look on port 22. On the other hand, your system is only as secure as you make it, so if you do something stupid with the sshd config, it won't be secure no matter what port it listens on.
Sorry if I sounded confusing with the 2 host things...
I'll explain a bit more...
2 computers are behind a router: so they have the same external ip. I need to ssh to both of them from a remote location. To distinguish the 2, I run them on different port. So to connect to the first I do:
ssh <external ip> -p 22
and for the second computer I do
ssh <external ip> -p 23
(22 and 23 are not the real ports)
but when I ssh using the first port, it adds a key to know_host. So when I try to connect to the second computer using another port but the same ip, ssh thinks that the host had changed its key...
I would like to add to know_host the key of both servers, witch are located at the same ip address but on different ports...
to connect to the respective machines. This should identify the machines by their hostnames, rather than by IP, in your known_hosts file.
If this doesn't work, then you might consider only ssh'ing from outside the LAN into one of the machines, then ssh from that machine to the other, using it's internal IP.
What I did was to install keychain to indentify with keys, and I now use putty to ssh. PuTTY will ask you the question if you want to update the fingerprint...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
You must be very, very careful how you approve updating the host keys because there are known exploits around for SSH session hijacking. There are even some utilities that will generate phoney host keys with the first few and last few octets that match. Unless you check every single octet against what you know is correct, you could be falling into a trap.
With your recomendation, I think I know what I'll do...
I have 2 dyndns.org hostnames. So I'll use them seperatly. I think I used only one of them for both computers, issuing the fingerprint question. Now I'll try to use unique hostname for both computers...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.