SSH connections to two hosts with the same IP address
J. Smith
machines are behind a firewall, which maps the connections on a per port
basis.
On machine A the ssh daemon listens for incoming connections at the
default port, whereas on machine B it listens at port (say) 100. From a
remote system R the command
ssh MyIPAddress
grants me access to machine A all right (assuming that the public key and
authorized_hosts files have been set up correctly). What I would like is
for
ssh -p 100 MyIPAddress
to give me access to my machine B. However, the ssh infrastructure
in R checks my known_hosts file in that system, notices that the remote
host's (that is, B's) identification has changed, and aborts the
connection.
Is there a (simple) way to get ssh to understand that there are two
different remote hosts hiding behind the same IP address?
Dale Dellutri
Have you considered a wrapper script which rewrites the
.ssh/known_hosts file depending on the connection? For example,
create two files .ssh/known_hosts_A and known_hosts_B. Then the
wrapper script simply copies the necessary file to .ssh/known_hosts
before making the connection.
--
Dale Dellutri <ddelQ...@panQQQix.com> (lose the Q's)
J. Smith
> Have you considered a wrapper script which rewrites the
> .ssh/known_hosts file depending on the connection? For example,
> create two files .ssh/known_hosts_A and known_hosts_B. Then the
> wrapper script simply copies the necessary file to .ssh/known_hosts
> before making the connection.
Thanks for your useful suggestion.
mcki...@cpva.saic.com
Rather than trying to "get ssh to understand that there are two different
remote hosts hiding behind the same IP address", why not use the same key
keys on each of these two hosts and your client will believe that these two
are a single host?
J. Smith
> Rather than trying to "get ssh to understand that there are two different
> remote hosts hiding behind the same IP address", why not use the same key
> keys on each of these two hosts and your client will believe that these two
> are a single host?
Are you saying that the remote hosts should have the same public
key/private key pair?
mcki...@cpva.saic.com
Yes, generate the keys on one of the systems and copy them to the other.
Per Hedeland
Assuming OpenSSH, yes - put this in ~/.ssh/config (see 'man ssh_config'):
Host machineA
HostName MyIPAddress
HostKeyAlias machinea
Host machineB
HostName MyIPAddress
HostKeyAlias machineb
Port 100
Now you can just 'ssh machineA' or 'ssh machineB' (don't even need to
specify the port:-), and ssh will save (and check) the two keys
separately. You *can* also give those options on the commandline by
using -o, but it gets rather tedious...
Btw, there seems to be a minor bug with this functionality (at least in
the semi-old 3.6.1p1 that I tested): The argument to 'HostKeyAlias' must
be all-lowercase, otherwise subsequent invocations won't find the saved
key, and instead on each connect you will be asked to accept the key,
and it will be saved to the known_hosts file again and again and
again...:-)
--Per Hedeland
p...@hedeland.org
Nico Kadel-Garcia
"J. Smith" <jsm...@nowhere.net> wrote in message
news:pan.2004.07.08....@nowhere.net...
It would be easier to give both machines the same private SSH keys.
J. Smith
ch...@nospam.com
Or you could get real creative and use iptables on the local machine
to transparently redirect a bogus IP to the intended IP and alternate
port.
Kyler Laird
>Assuming OpenSSH, yes - put this in ~/.ssh/config (see 'man ssh_config'):
>Host machineA
> HostName MyIPAddress
> HostKeyAlias machinea
>Host machineB
> HostName MyIPAddress
> HostKeyAlias machineb
> Port 100
It's good to see someone finally give a decent answer.
Another possibility (which I use) is to do weird things with name
lookup. For example, I have entries like "foo.localhost" and
"bar.localhost" in my /etc/hosts. They all point to 127.0.0.1 but I
can use them with my .ssh/config to reach tunneled servers.
host foo.localhost
port 1234
host bar.localhost
port 1235
...
No need to use "HostKeyAlias".
--kyler