ssh to machines behind firewall?

I've got multiple machines behind a NAT/firewall. I'd like to
ssh into those machines, so I map different incoming TCP/IP
port numbers to port 22 on the different hosts. That works
fine.

However, the ssh client is mad because n.n.n.n:8022 and
n.n.n.n:8023 are two different hosts. How do I get ssh to take
the port number into account in the know-hosts entries?

--
Grant Edwards grante Yow! KARL MALDEN'S NOSE
at just won an ACADEMY AWARD!!
visi.com

On 2004-04-29, Grant Edwards <grante@visi.com> wrote:

> However, the ssh client is mad because n.n.n.n:8022 and
> n.n.n.n:8023 are two different hosts. How do I get ssh to take
> the port number into account in the know-hosts entries?

According to openssh's bugzilla database people have been
complaining about this for 2 years. So I guess I'm stuck.

--
Grant Edwards grante Yow! But they went to MARS
at around 1953!!
visi.com

On Thu, 29 Apr 2004 19:41:03 +0000, Grant Edwards wrote:
> However, the ssh client is mad because n.n.n.n:8022 and
> n.n.n.n:8023 are two different hosts. How do I get ssh to take
> the port number into account in the know-hosts entries?

I think you can turn off that host checking, or at least tone down the
objections. What I have done in this case: use a different hostname
(make a CNAME or another A record, or even an entry in /etc/hosts) and
consistently use that for the one on the alternate port.

If you have the opportunity to use more than one external IP, you could
DNAT each IP to a separate internal host, just leave them all on the
same port.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

On 2004-04-29, /dev/rob0 <rob0@gmx.co.uk> wrote:

>> However, the ssh client is mad because n.n.n.n:8022 and
>> n.n.n.n:8023 are two different hosts. How do I get ssh to take
>> the port number into account in the know-hosts entries?
>
> I think you can turn off that host checking, or at least tone down the
> objections.

Yea, I guess a warning and a "continue?" would be workable.

> What I have done in this case: use a different hostname
> (make a CNAME or another A record, or even an entry in /etc/hosts) and
> consistently use that for the one on the alternate port.

Ah! So it does the lookup using the hostname you pass it
rather than the IP address to which it resolves? I hadn't
thought about that.

> If you have the opportunity to use more than one external IP,
> you could DNAT each IP to a separate internal host, just leave
> them all on the same port.

I've only got one IP address, but the multiple hostnames sounds
like it's worth trying.

--
Grant Edwards grante Yow! Is this BOISE??
at
visi.com

On 2004-04-29, Grant Edwards <grante@visi.com> wrote:

> I've only got one IP address, but the multiple hostnames sounds
> like it's worth trying.

The trick is to go into the known-hosts file manually and fix
up the entries so that all of the "aliased" hostnames have the
form:

host1,nnn.nnn.nnn.nnn [...]
host2,nnn.nnn.nnn.nnn [...]
host3,nnn.nnn.nnn.nnn [...]
host4,nnn.nnn.nnn.nnn [...]

Otherwise, you seem to end up with only one entry with the IP
address on the end. Then, everytime you switch hosts, it
complains and moves the nnn.nnn.nnn.nnn. With entries like the
above, I get no warnings or complaints from ssh. :)

--
Grant Edwards grante Yow! Hello? Enema
at Bondage? I'm calling
visi.com because I want to be happy,
I guess...

On 29 Apr 2004 20:27:12 GMT, Grant Edwards <grante@visi.com> wrote:
> On 2004-04-29, /dev/rob0 <rob0@gmx.co.uk> wrote:
>
>>> However, the ssh client is mad because n.n.n.n:8022 and
>>> n.n.n.n:8023 are two different hosts. How do I get ssh to take
>>> the port number into account in the know-hosts entries?
>>
>> I think you can turn off that host checking, or at least tone down the
>> objections.
>
> Yea, I guess a warning and a "continue?" would be workable.
>
>> What I have done in this case: use a different hostname
>> (make a CNAME or another A record, or even an entry in /etc/hosts) and
>> consistently use that for the one on the alternate port.
>
> Ah! So it does the lookup using the hostname you pass it
> rather than the IP address to which it resolves? I hadn't
> thought about that.
>
>> If you have the opportunity to use more than one external IP,
>> you could DNAT each IP to a separate internal host, just leave
>> them all on the same port.
>
> I've only got one IP address, but the multiple hostnames sounds
> like it's worth trying.

Even if the public IP is dynamic, some dynamic DNS services (like
no-ip.com) can set up a wildcard A record (*.yourname.no-ip.com or one of
their other domains). The * can be any characters suitable for FQDN,
including additional dots. So you could use the port, or private hostname
or IP for the prefix.

--
David Efflandt - All spam ignored http://www.de-srv.com/

On Thu, 29 Apr 2004 19:41:03 +0000, Grant Edwards wrote:

> I've got multiple machines behind a NAT/firewall. I'd like to ssh into
> those machines, so I map different incoming TCP/IP port numbers to port 22
> on the different hosts. That works fine.
>
> However, the ssh client is mad because n.n.n.n:8022 and n.n.n.n:8023 are
> two different hosts. How do I get ssh to take the port number into
> account in the know-hosts entries?

Another possibility is to copy the key files from one machine to the
others so that they are all the same, then the client isn't aware that
it's connecting to different ones.

I do this when I dual boot the server and keep the IP address the same but
I don't see why it shouldn't work with different ones. As long as they're
all yours in the same LAN I can't see a security issue either.

Personally I just have the one server accessible from outside and ssh on
from that to the others as needed. It means I only have to worry about
security in one place. I've not found this inconvenient. I do the same at
work (there I have two, for redundancy, at different sites) and
there are hundreds of machines there I need to access remotely. Some of
which run OSs so ancient it would be difficult if not impossible to put a
secure SSH server on. Or even any SSH server at all. The SSH servers have
a telnet client (and a tn3270 one for those who remember what that's for:)

Regards, Ian