[Techtalk] remote SSH and NAT
johnc+linuxchix at kirriwa.net
Mon Mar 13 12:52:30 EST 2006
On Sat, Mar 11, 2006 at 10:36:33 -0800, Carla Schroder wrote:
> That works great for a single LAN host, but then don't you bump into host keys
> problems? Because all outgoing traffic is SNAT'ed, so when the remote SSH
> client sees a different host key, it doesn't know it's from a different PC,
You can fix that with ~/.ssh/config (on the ssh client, owned by you,
mode 0600), e.g.:
# windbag.foo net
# stinkpad.foo net is accessed via port forwarding on
# windbag.foo.net, so don't check the IP address in
# the known hosts file
# defaults follow
Then just use "ssh windbag" and "ssh stinkpad" and it'll do what you
You can have multiple hosts on a line, e.g. "Host windbag stinkpad" and
the options which follow will apply to all. You can also have multiple
"Host" sections with the same hostname (or a matching wildcard) and all
the options in all sections will take effect, with the first definition
of any one option overriding any later definitions of the same option.
That means that the options defined under "Host *" are only used if
they're not defined earlier. Hence port 10000 is used for stinkpad but
port 22 is used for all other hosts.
Note that "Host windbag" is not the same as "Host windbag.foo.net". If
you want to use the fqdn or the short name and get the same options, put
both names on the same Host line: "Host windbag windbag.foo.net".
For someone like that, the best I can do is to write and implement
the KJTP: K-Y Jelly Transport Protocol. He'll need a lot.
-- Mike Andrews
More information about the Techtalk