[patch] known hosts with ports

Markus Friedl markus at openbsd.org
Wed Aug 29 01:32:32 EST 2001


I'm using
	HostKeyAlias
for this. perhaps it's useful to add this option, but
HostKeyAlias and CheckHostIP should help, too.
however, with HostKeyAlias you need to specify this per target host.

e.g.

Host cvs.openssh.com
	Hostname localhost
	# port 2222 is forwarded to cvs.openssh.com port 22
	Port 2222
	HostKeyAlias cvs.openssh.com

On Tue, Aug 28, 2001 at 03:09:44PM +0000, m.lavy wrote:
> Hello. We are currently installing a new firewall, and would like to use a 
> mixture of NAT and port mapping to have a single "gateway" host address 
> which exposes a range of open ports, each of which maps to sshd of a 
> different host in our internal network (e.g. ssh.jesus.cam.ac.uk on port 
> 6789 maps to internal host1 port 22 whereas ssh.jesus.cam.ac.uk on port 6790 
> maps to internal host2 port 22).
> 
> There is a problem here: client A connects on port 6789 and reaches host1 
> successfully; he saves the host key (which ssh client sees as the host key 
> for ssh.jesus.cam.ac.uk) in known_hosts. He then connects on port 6790, but 
> on connection will be warned that the host key has changed, because he will 
> connecting to a host that LOOKS as though it is the same as host1, even 
> though it is not the same in reality. 
> 
> I don't know if this is a problem that anyone else has faced, or if 
> attempting to solve it is a particularly good idea. However, my solution has 
> been to patch the ssh client so that it looks up known hosts by host AND 
> PORT. I've patched main() in ssh.c because that seemed the cleanest place to 
> do it without making lots of code changes. Patch is attached to this mail. 
> I'd be grateful for thoughts on whether this is a sane approach to the 
> problem; anyone please feel free to use the patch under the BSD licence. 
> 
> Apologies if this is not an appropriate list for the mailing. 
> 
> Regards, 
> 
> Matthew 
> 
>  --
> Matthew M Lavy MA MPhil ARCM LTCL
> Technical Systems Developer
> Jesus College, Cambridge CB5 8BL
> Tel: 01223 339944 
> 





More information about the openssh-unix-dev mailing list