[patch] known hosts with ports
m.lavy
m.lavy at jesus.cam.ac.uk
Wed Aug 29 01:09:44 EST 2001
Hello. We are currently installing a new firewall, and would like to use a
mixture of NAT and port mapping to have a single "gateway" host address
which exposes a range of open ports, each of which maps to sshd of a
different host in our internal network (e.g. ssh.jesus.cam.ac.uk on port
6789 maps to internal host1 port 22 whereas ssh.jesus.cam.ac.uk on port 6790
maps to internal host2 port 22).
There is a problem here: client A connects on port 6789 and reaches host1
successfully; he saves the host key (which ssh client sees as the host key
for ssh.jesus.cam.ac.uk) in known_hosts. He then connects on port 6790, but
on connection will be warned that the host key has changed, because he will
connecting to a host that LOOKS as though it is the same as host1, even
though it is not the same in reality.
I don't know if this is a problem that anyone else has faced, or if
attempting to solve it is a particularly good idea. However, my solution has
been to patch the ssh client so that it looks up known hosts by host AND
PORT. I've patched main() in ssh.c because that seemed the cleanest place to
do it without making lots of code changes. Patch is attached to this mail.
I'd be grateful for thoughts on whether this is a sane approach to the
problem; anyone please feel free to use the patch under the BSD licence.
Apologies if this is not an appropriate list for the mailing.
Regards,
Matthew
--
Matthew M Lavy MA MPhil ARCM LTCL
Technical Systems Developer
Jesus College, Cambridge CB5 8BL
Tel: 01223 339944
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh-client.diff
Type: application/octet-stream
Size: 406 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010828/88fe21ae/attachment.obj
More information about the openssh-unix-dev
mailing list