On Mon, 3 Apr 2006, J Cruit wrote:
> The problem with this is they all point back to the same IP address
> which means that to your NAT device they all look the same and it can
> only route that port 22 connection into one inside box.  You could use
> different port numbers for each and just set your client to use those
> other ports, in fact if you change them all from 22 then you also stop
> getting those annoying brute force attempts.  So change them so
> something like 2222, 2223, 2224 or whatever you feel like, its your network.
>
> Fun idea for some coding though, give SSH the ability to see the
> hostname that was connected to and route it to the appropriate box
> similar to the Apache method for hosting multiple web sites.

  I think that'd require the SSH client to pass the hostname it was trying 
to connect to in plaintext before SSL negotiation, as it hasn't yet 
ascertained the destination machine's SSL keys.
  Instead, I'd go with the oft-suggested (and your first suggestion) 
"redirect an alternate port to each internal machine" suggestion, but with 
an extra spin...so long as you control the ~/.ssh/config (or similar) on 
the external client machine.  Just add:

Host router.mydomain.net
   Port 2222
   CheckHostIP no

Host box1.mydomain.net
   Port 2223
   CheckHostIP no

Host box2.mydomain.net
   Port 2224
   CheckHostIP no

  ...etc.
  Then when you ssh to box2.mydomain.net, it goes to port 2224 
automagically, and (as I recall, based on the CheckHostIP option) doesn't 
nag you about the key not matching the one known for the IP (which may be 
the router or box1's).
  No SSH software mangling required.

  Of course, there are other methods available (i.e., VPN) if you have 
fine-grained control over the remote client (your laptop, for instance), 
but that's slightly more involved.

      Jima