The .ssh/known_hosts table cannot handle reaching different sshd servers behind a NAT router. The machines are selected by having the SSHDs respond to differnt ports. A second request would be to allow known_hosts checking solely on the dns name, wildcarding the IP address. This would be useful to avoid continuously warning the user every time you connect to a machine with a changing IP address (e.g. dynamic-ip DSL home machine). Without that you can fall for DNS typo squatters (e.g my fingers found ****.hoemip.net rather than homeip.net and I didn't even notice because I was used to the noise warning that a laptop's IP address had changed.
Daniel Kahn Gillmor
2005-Dec-12 15:52 UTC
known_hosts and multiple hosts through a NAT router
On December 10, djk at super.org said: > The .ssh/known_hosts table cannot handle reaching different sshd > servers behind a NAT router. The machines are selected by having > the SSHDs respond to differnt ports. > > A second request would be to allow known_hosts checking solely on > the dns name, wildcarding the IP address. This would be useful > to avoid continuously warning the user every time you connect > to a machine with a changing IP address (e.g. dynamic-ip DSL home machine). > Without that you can fall for DNS typo squatters (e.g my > fingers found ****.hoemip.net rather than homeip.net and > I didn't even notice because I was used to the noise warning > that a laptop's IP address had changed. Both of these problems should go away if you have ~/.ssh/config clauses that use HostKeyAlias. for example: Host foo Hostname xyz.homeip.net HostKeyAlias foo Port 2222 Host bar Hostname xyz.homeip.net HostKeyAlias bar Port 3333 this also makes it easier for you from the command line. you just use: ssh foo or ssh bar to connect. hth, --dkg
On Sat, Dec 10, 2005 at 11:14:04AM -0500, Daniel Kopetzky wrote:> The .ssh/known_hosts table cannot handle reaching different sshd > servers behind a NAT router. The machines are selected by having > the SSHDs respond to differnt ports.Someone else has already pointed out HostKeyAlias. There's also an enhancement request to add port identifiers (bug #910).> A second request would be to allow known_hosts checking solely on > the dns nameYou mean like "CheckHostIP no"? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.