Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   ssh - alternate ports, and host verification (http://www.linux-archive.org/centos/266540-ssh-alternate-ports-host-verification.html)

dnk 03-19-2009 09:53 PM

ssh - alternate ports, and host verification
 
I have a centos box that will need to ssh into 2 other centos boxes
(with keys). Now one of these boxes is a firewall, and another is a
system behind the firewall. I have rules in my firewall to punch into
the system behind the FW.

Now if i connect to the IP (sine the public one is shared), anytime i
connect to the other system, I get the host verification failed error
and have to remove the IP from the known_hosts file.

What is the best (secure) way to get around this? I know i can disable
the check, but that is not my preferred way.

Thanks.

d




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jerry Franz 03-19-2009 10:01 PM

ssh - alternate ports, and host verification
 
dnk wrote:
> I have a centos box that will need to ssh into 2 other centos boxes
> (with keys). Now one of these boxes is a firewall, and another is a
> system behind the firewall. I have rules in my firewall to punch into
> the system behind the FW.
>
> Now if i connect to the IP (sine the public one is shared), anytime i
> connect to the other system, I get the host verification failed error
> and have to remove the IP from the known_hosts file.
>
> What is the best (secure) way to get around this? I know i can disable
> the check, but that is not my preferred way.
>
There are two ways to do it. The first way is to simply set the host
keys to be the same on all the boxes (copy the contents of the
/etc/ssh/*key* files from one box to all of the boxes). The other way is
to setup separate ssh_config files for each destination with different
known_host files and invoke ssh as 'ssh -F configfile1 host1', 'ssh -F
configfile2 host2', etc.

--
Benjamin Franz
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

dnk 03-19-2009 10:03 PM

ssh - alternate ports, and host verification
 
On 19-Mar-09, at 4:01 PM, Jerry Franz wrote:

> dnk wrote:
>> I have a centos box that will need to ssh into 2 other centos boxes
>> (with keys). Now one of these boxes is a firewall, and another is a
>> system behind the firewall. I have rules in my firewall to punch into
>> the system behind the FW.
>>
>> Now if i connect to the IP (sine the public one is shared), anytime i
>> connect to the other system, I get the host verification failed error
>> and have to remove the IP from the known_hosts file.
>>
>> What is the best (secure) way to get around this? I know i can
>> disable
>> the check, but that is not my preferred way.
>>
> There are two ways to do it. The first way is to simply set the host
> keys to be the same on all the boxes (copy the contents of the
> /etc/ssh/*key* files from one box to all of the boxes). The other
> way is
> to setup separate ssh_config files for each destination with different
> known_host files and invoke ssh as 'ssh -F configfile1 host1', 'ssh -F
> configfile2 host2', etc.
>


Ok, and the way I just figured out that also works is:

If there are several different fingerprints in known_hosts for the
same host (IP), ssh will connect if at least one of them is correct.
So what you can do is

# 1.) move your known_hosts file to a different filename
mv .ssh/known_hosts .ssh/known_hosts.old
# 2.) connect to computer #1, so its host key is written to the (now
empty) known_hosts file
ssh you@yourfirstmachine -p port1
# 3.) add the new host key fingerprint to the old known_hosts file
cat .ssh/known_hosts >>.ssh/known_hosts.old
# 4.) remove the new known_hosts file
rm .ssh/known_hosts
# Now you should repeat steps 2-4 for each computer in you nated network
# At the end, you simply move the old known_hosts file with the added
keys back again
mv .ssh/known_hosts.old .ssh/known_hosts

Thanks!

d


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

03-19-2009 10:07 PM

ssh - alternate ports, and host verification
 
Are these on the same ip, but different ports? I suggest setting up two different hostnames.

Russ
------Original Message------
From: dnk
Sender: centos-bounces@centos.org
To: CentOS Mailing list
ReplyTo: CentOS Mailing list
Sent: Mar 19, 2009 6:53 PM
Subject: [CentOS] ssh - alternate ports, and host verification

I have a centos box that will need to ssh into 2 other centos boxes
(with keys). Now one of these boxes is a firewall, and another is a
system behind the firewall. I have rules in my firewall to punch into
the system behind the FW.

Now if i connect to the IP (sine the public one is shared), anytime i
connect to the other system, I get the host verification failed error
and have to remove the IP from the known_hosts file.

What is the best (secure) way to get around this? I know i can disable
the check, but that is not my preferred way.

Thanks.

d




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Sent from my Verizon Wireless BlackBerry
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Dnk 03-19-2009 10:19 PM

ssh - alternate ports, and host verification
 
On 19-Mar-09, at 4:07 PM, russ@vshift.com wrote:

> Are these on the same ip, but different ports? I suggest setting up
> two different hostnames.
>
> Russ
> ------Original Message------
> From: dnk
> Sender: centos-bounces@centos.org
> To: CentOS Mailing list
> ReplyTo: CentOS Mailing list
> Sent: Mar 19, 2009 6:53 PM
> Subject: [CentOS] ssh - alternate ports, and host verification
>
> I have a centos box that will need to ssh into 2 other centos boxes
> (with keys). Now one of these boxes is a firewall, and another is a
> system behind the firewall. I have rules in my firewall to punch into
> the system behind the FW.
>
> Now if i connect to the IP (sine the public one is shared), anytime i
> connect to the other system, I get the host verification failed error
> and have to remove the IP from the known_hosts file.
>
> What is the best (secure) way to get around this? I know i can disable
> the check, but that is not my preferred way.
>
> Thanks.
>
> d
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
> Sent from my Verizon Wireless BlackBerry
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

Doh! Great idea.

D
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 09:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.