openssh unix dev - Dec 2005 - known_hosts and multiple hosts through a NAT router

The .ssh/known_hosts table cannot handle reaching different sshd
servers behind a NAT router. The machines are selected by having
the SSHDs respond to differnt ports.

A second request would be to allow known_hosts checking solely on
the dns name, wildcarding the IP address. This would be useful
to avoid continuously warning the user every time you connect
to a machine with a changing IP address (e.g. dynamic-ip DSL home machine).
Without that you can fall for DNS typo squatters (e.g my
fingers found     ****.hoemip.net  rather than homeip.net and
I didn't even notice because I was used to the noise warning
that a laptop's IP address had changed.

On December 10, djk at super.org said:

 > The .ssh/known_hosts table cannot handle reaching different sshd
 > servers behind a NAT router. The machines are selected by having
 > the SSHDs respond to differnt ports.
 > 
 > A second request would be to allow known_hosts checking solely on
 > the dns name, wildcarding the IP address. This would be useful
 > to avoid continuously warning the user every time you connect
 > to a machine with a changing IP address (e.g. dynamic-ip DSL home
machine).
 > Without that you can fall for DNS typo squatters (e.g my
 > fingers found     ****.hoemip.net  rather than homeip.net and
 > I didn't even notice because I was used to the noise warning
 > that a laptop's IP address had changed.

Both of these problems should go away if you have ~/.ssh/config
clauses that use HostKeyAlias.  for example:

Host foo
Hostname xyz.homeip.net
HostKeyAlias foo
Port 2222

Host bar
Hostname xyz.homeip.net
HostKeyAlias bar
Port 3333


this also makes it easier for you from the command line.  you just use:

  ssh foo

or 

  ssh bar

to connect.

hth,

	--dkg

On Sat, Dec 10, 2005 at 11:14:04AM -0500, Daniel Kopetzky
wrote:
> The .ssh/known_hosts table cannot handle reaching different sshd
> servers behind a NAT router. The machines are selected by having
> the SSHDs respond to differnt ports.
Someone else has already pointed out HostKeyAlias.  There's also an
enhancement request to add port identifiers (bug #910).
> A second request would be to allow known_hosts checking solely on
> the dns name
You mean like "CheckHostIP no"?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.