[Techtalk] remote SSH and NAT
Mary
mary-linuxchix at puzzling.org
Sun Mar 12 17:50:24 EST 2006
On Sat, Mar 11, 2006, Carla Schroder wrote:
> That works great for a single LAN host, but then don't you bump into host keys
> problems? Because all outgoing traffic is SNAT'ed, so when the remote SSH
> client sees a different host key, it doesn't know it's from a different PC,
> because the IP is the same. So you get the scary
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
I tend to set the UserKnownHostsFile option in .ssh/config. So, if we
have stinkpad1 and stinkpad2 behind windbag.example.com on ports 22000
and 22001
Host stinkpad1
HostName windbag.example.com
Port 22000
UserKnownHostsFile ~/.ssh/stinkpad1-knownhosts
Host stinkpad2
HostName windbag.example.com
Port 22001
UserKnownHostsFile ~/.ssh/stinkpad2-knownhosts
This means it will check completely different files when doing the host
key checking.
-Mary
More information about the Techtalk
mailing list