[Techtalk] remote SSH and NAT

Carla Schroder carla at bratgrrl.com
Sun Mar 12 18:13:17 EST 2006


On Saturday 11 March 2006 22:50, Mary wrote:
> On Sat, Mar 11, 2006, Carla Schroder wrote:
> > That works great for a single LAN host, but then don't you bump into host
> > keys problems? Because all outgoing traffic is SNAT'ed, so when the
> > remote SSH client sees a different host key, it doesn't know it's from a
> > different PC, because the IP is the same. So you get the scary
> >
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>
> I tend to set the UserKnownHostsFile option in .ssh/config. So, if we
> have stinkpad1 and stinkpad2 behind windbag.example.com on ports 22000
> and 22001
>
> Host stinkpad1
> HostName windbag.example.com
> Port 22000
> UserKnownHostsFile ~/.ssh/stinkpad1-knownhosts
>
> Host stinkpad2
> HostName windbag.example.com
> Port 22001
> UserKnownHostsFile ~/.ssh/stinkpad2-knownhosts
>
> This means it will check completely different files when doing the host
> key checking.
>

That looks like a totally awesome way to handle this! I shall try it tomorrow. 
I assume you have to manually copy the host keys into their new files? This 
looks really slick, I wish it wasn't already past my bedtime. :) Thanks Mary!

BTW, for anyone who was wondering, iptables reads only packet headers, so 
domain names don't work in iptables rules, just numerical addresses. But SSH 
can use domain names just fine. 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Carla Schroder
 check out my "Linux Cookbook", the ultimate Linux user's
 and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


More information about the Techtalk mailing list