known_hosts and multiple hosts through a NAT router
Daniel Kahn Gillmor
dkg-openssh.com at fifthhorseman.net
Tue Dec 13 02:52:06 EST 2005
On December 10, djk at super.org said:
> The .ssh/known_hosts table cannot handle reaching different sshd
> servers behind a NAT router. The machines are selected by having
> the SSHDs respond to differnt ports.
>
> A second request would be to allow known_hosts checking solely on
> the dns name, wildcarding the IP address. This would be useful
> to avoid continuously warning the user every time you connect
> to a machine with a changing IP address (e.g. dynamic-ip DSL home machine).
> Without that you can fall for DNS typo squatters (e.g my
> fingers found ****.hoemip.net rather than homeip.net and
> I didn't even notice because I was used to the noise warning
> that a laptop's IP address had changed.
Both of these problems should go away if you have ~/.ssh/config
clauses that use HostKeyAlias. for example:
Host foo
Hostname xyz.homeip.net
HostKeyAlias foo
Port 2222
Host bar
Hostname xyz.homeip.net
HostKeyAlias bar
Port 3333
this also makes it easier for you from the command line. you just use:
ssh foo
or
ssh bar
to connect.
hth,
--dkg
More information about the openssh-unix-dev
mailing list