[Techtalk] remote SSH and NAT

John Clarke johnc+linuxchix at kirriwa.net
Mon Mar 13 12:52:30 EST 2006

On Sat, Mar 11, 2006 at 10:36:33 -0800, Carla Schroder wrote:

Hi Carla,

> That works great for a single LAN host, but then don't you bump into host keys 
> problems? Because all outgoing traffic is SNAT'ed, so when the remote SSH 
> client sees a different host key, it doesn't know it's from a different PC, 

You can fix that with ~/.ssh/config (on the ssh client, owned by you,
mode 0600), e.g.:

    # windbag.foo net
    Host windbag
        Hostname windbag.foo.net
        HostKeyAlias windbag.foo.net
        PasswordAuthentication yes
    # stinkpad.foo net is accessed via port forwarding on
    #   windbag.foo.net, so don't check the IP address in
    #   the known hosts file
    Host stinkpad
        Hostname windbag.foo.net
        HostKeyAlias stinkpad.foo.net
        CheckHostIP no
        Port 10000
        PasswordAuthentication yes

    # defaults follow
    Host *
        ForwardAgent no
        ForwardX11 no
        PubkeyAuthentication yes
        RSAAuthentication yes
        RhostsAuthentication no
        RhostsRSAAuthentication no
        TISAuthentication no
        PasswordAuthentication no
        FallBackToRsh no
        UseRsh no
        BatchMode no
        StrictHostKeyChecking yes
        Protocol 2,1
        Port 22
        CheckHostIP yes

Then just use "ssh windbag" and "ssh stinkpad" and it'll do what you

You can have multiple hosts on a line, e.g. "Host windbag stinkpad" and
the options which follow will apply to all.  You can also have multiple
"Host" sections with the same hostname (or a matching wildcard) and all
the options in all sections will take effect, with the first definition
of any one option overriding any later definitions of the same option. 

That means that the options defined under "Host *" are only used if
they're not defined earlier.  Hence port 10000 is used for stinkpad but
port 22 is used for all other hosts.

Note that "Host windbag" is not the same as "Host windbag.foo.net".  If
you want to use the fqdn or the short name and get the same options, put
both names on the same Host line: "Host windbag windbag.foo.net".


For someone like that, the best I can do is to write and implement
the KJTP: K-Y Jelly Transport Protocol. He'll need a lot.
            -- Mike Andrews

More information about the Techtalk mailing list