port forwarding trouble

Frederik Eaton frederik at a5.repetae.net
Wed Aug 3 02:39:59 EST 2005


Thanks for your reply.

> >When I set up multiple tunnels from remote hosts to ports on
> >localhost, I get the following error when I try to use them:
> >
> >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> >@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> >IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> >
> >(even though the keys haven't changed on the remote hosts). I assume
> >this is because the known_hosts file doesn't include port numbers.
> 
> There's an open bug and patch for this:
> http://bugzilla.mindrot.org/show_bug.cgi?id=910

Hmm, it seems like this is getting hung up over
HostbasedAuthentication, which isn't really documented in the man
page. What is it, what is "rhosts based authentication"? How many
people use it?

When will the patch be incorporated?

> >However, this means that at least as I have things set up tunneling is
> >quite unusable. Is there a configuration option that I'm forgetting to
> >set which will cause ssh to differentiate between various ports on the
> >same host?
> 
> As Peter Stuge noted earlier, you can use HostKeyAlias to specify the 
> real name of the host you're connecting to over the forward.

So, I could just write a wrapper that always passes "-o
HostKeyAlias=host:port" to ssh to get around the bug?

Also, I don't think that the "host at port" syntax suggested in the bug
comments is a good idea. There should be some standard for ipv6, and
we should use it. E.g., what do URLs use to specify the port when the
host is specified as an IPv6 address?

A brief search indicated "host.:port" might be used somewhere. But
"host:port" is so common that it would be better to use a different
notation only when 'host' is IPv6. "@" is especially bad, because it
makes it look like the host is a user.

Frederik




More information about the openssh-unix-dev mailing list