Hello. We are currently installing a new firewall, and would like to use a mixture of NAT and port mapping to have a single "gateway" host address which exposes a range of open ports, each of which maps to sshd of a different host in our internal network (e.g. ssh.jesus.cam.ac.uk on port 6789 maps to internal host1 port 22 whereas ssh.jesus.cam.ac.uk on port 6790 maps to internal host2 port 22). There is a problem here: client A connects on port 6789 and reaches host1 successfully; he saves the host key (which ssh client sees as the host key for ssh.jesus.cam.ac.uk) in known_hosts. He then connects on port 6790, but on connection will be warned that the host key has changed, because he will connecting to a host that LOOKS as though it is the same as host1, even though it is not the same in reality. I don't know if this is a problem that anyone else has faced, or if attempting to solve it is a particularly good idea. However, my solution has been to patch the ssh client so that it looks up known hosts by host AND PORT. I've patched main() in ssh.c because that seemed the cleanest place to do it without making lots of code changes. Patch is attached to this mail. I'd be grateful for thoughts on whether this is a sane approach to the problem; anyone please feel free to use the patch under the BSD licence. Apologies if this is not an appropriate list for the mailing. Regards, Matthew -- Matthew M Lavy MA MPhil ARCM LTCL Technical Systems Developer Jesus College, Cambridge CB5 8BL Tel: 01223 339944 -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-client.diff Type: application/octet-stream Size: 406 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010828/88fe21ae/attachment.obj
Previously m.lavy wrote:> I don't know if this is a problem that anyone else has faced, or if > attempting to solve it is a particularly good idea.It's a common problem. I avoided the problem so far by adding CNAMEs but this is definitely a better approach. Wichert. -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at wiggy.net http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
I'm using HostKeyAlias for this. perhaps it's useful to add this option, but HostKeyAlias and CheckHostIP should help, too. however, with HostKeyAlias you need to specify this per target host. e.g. Host cvs.openssh.com Hostname localhost # port 2222 is forwarded to cvs.openssh.com port 22 Port 2222 HostKeyAlias cvs.openssh.com On Tue, Aug 28, 2001 at 03:09:44PM +0000, m.lavy wrote:> Hello. We are currently installing a new firewall, and would like to use a > mixture of NAT and port mapping to have a single "gateway" host address > which exposes a range of open ports, each of which maps to sshd of a > different host in our internal network (e.g. ssh.jesus.cam.ac.uk on port > 6789 maps to internal host1 port 22 whereas ssh.jesus.cam.ac.uk on port 6790 > maps to internal host2 port 22). > > There is a problem here: client A connects on port 6789 and reaches host1 > successfully; he saves the host key (which ssh client sees as the host key > for ssh.jesus.cam.ac.uk) in known_hosts. He then connects on port 6790, but > on connection will be warned that the host key has changed, because he will > connecting to a host that LOOKS as though it is the same as host1, even > though it is not the same in reality. > > I don't know if this is a problem that anyone else has faced, or if > attempting to solve it is a particularly good idea. However, my solution has > been to patch the ssh client so that it looks up known hosts by host AND > PORT. I've patched main() in ssh.c because that seemed the cleanest place to > do it without making lots of code changes. Patch is attached to this mail. > I'd be grateful for thoughts on whether this is a sane approach to the > problem; anyone please feel free to use the patch under the BSD licence. > > Apologies if this is not an appropriate list for the mailing. > > Regards, > > Matthew > > -- > Matthew M Lavy MA MPhil ARCM LTCL > Technical Systems Developer > Jesus College, Cambridge CB5 8BL > Tel: 01223 339944 >