[TCLUG] ssh server behind NAT

Fri Jan 23 16:12:03 CST 2004

On Fri, Jan 23, 2004 at 03:11:47PM -0600, Robert P. Goldman wrote:
> >>>>> "CF" == Clay Fandre <clay at fandre.com> writes:
> 
>     CF> $ man ssh_config
>     CF> [snip]
>     CF>  CheckHostIP
>     CF>       If this flag is set to ``yes'', ssh  will  additionally
>     CF>       check  the  host  IP  address  in the known_hosts file.
>     CF>       This allows ssh to detect if a host key changed due  to
>     CF>       DNS  spoofing.   If  the  option  is set to ``no'', the
>     CF>       check will not be executed.  The default is ``yes''.
> 
> I'm sorry to be dense, but I don't see how this helps.  Since the two
> machines are behind a NAT router, they both have the same IP address
> (but different RSA keys).  Right now I've set up so that the Strict
> checking is off, and that allows my connections to go through, but ssh
> still whines about it....

Two more possibilities from man ssh_config

HostKeyAlias
   Specifies an alias that should be used instead of the real
host name when looking up or saving the host key in the host key
database files.  This option is useful for tunneling ssh connec-
tions or for multiple servers running on a single host.

 ProxyCommand
   Specifies the command to use to connect to the server.  The
command string extends to the end of the line, and is executed
with /bin/sh.  In the command string, '%h' will be substituted by
the host name to connect and '%p' by the port.  The command can
be basically anything, and should read from its standard input
and write to its standard output.  It should eventually connect
an sshd(8) server running on some machine, or execute sshd -i
somewhere.  Host key management will be done using the HostName
of the host being connected (defaulting to the name typed by the
user).  Setting the command to ``none'' disables this option
entirely.  Note that CheckHostIP is not available for connects
with a proxy command.

It seems to me that HostKeyAlias should do want, but I have never
actually used it.  If not Proxycommand should simplify a way to
kludge it.

-- 
Jim Crumley                  |Twin Cities Linux Users Group Mailing List (TCLUG)
crumley at fields.space.umn.edu |Minneapolis/St. Paul, Minnesota 
Ruthless Debian Zealot       |http://www.mn-linux.org/ 
Never laugh at live dragons  |Dmitry's free,Jon's next? http://faircopyright.org

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list