[Techtalk] remote SSH and NAT
John Clarke
johnc+linuxchix at kirriwa.net
Mon Mar 13 12:52:30 EST 2006
On Sat, Mar 11, 2006 at 10:36:33 -0800, Carla Schroder wrote:
Hi Carla,
> That works great for a single LAN host, but then don't you bump into host keys
> problems? Because all outgoing traffic is SNAT'ed, so when the remote SSH
> client sees a different host key, it doesn't know it's from a different PC,
You can fix that with ~/.ssh/config (on the ssh client, owned by you,
mode 0600), e.g.:
# windbag.foo net
Host windbag
Hostname windbag.foo.net
HostKeyAlias windbag.foo.net
PasswordAuthentication yes
# stinkpad.foo net is accessed via port forwarding on
# windbag.foo.net, so don't check the IP address in
# the known hosts file
Host stinkpad
Hostname windbag.foo.net
HostKeyAlias stinkpad.foo.net
CheckHostIP no
Port 10000
PasswordAuthentication yes
# defaults follow
Host *
ForwardAgent no
ForwardX11 no
PubkeyAuthentication yes
RSAAuthentication yes
RhostsAuthentication no
RhostsRSAAuthentication no
TISAuthentication no
PasswordAuthentication no
FallBackToRsh no
UseRsh no
BatchMode no
StrictHostKeyChecking yes
Protocol 2,1
Port 22
CheckHostIP yes
Then just use "ssh windbag" and "ssh stinkpad" and it'll do what you
want.
You can have multiple hosts on a line, e.g. "Host windbag stinkpad" and
the options which follow will apply to all. You can also have multiple
"Host" sections with the same hostname (or a matching wildcard) and all
the options in all sections will take effect, with the first definition
of any one option overriding any later definitions of the same option.
That means that the options defined under "Host *" are only used if
they're not defined earlier. Hence port 10000 is used for stinkpad but
port 22 is used for all other hosts.
Note that "Host windbag" is not the same as "Host windbag.foo.net". If
you want to use the fqdn or the short name and get the same options, put
both names on the same Host line: "Host windbag windbag.foo.net".
Cheers,
John
--
For someone like that, the best I can do is to write and implement
the KJTP: K-Y Jelly Transport Protocol. He'll need a lot.
-- Mike Andrews
More information about the Techtalk
mailing list