FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 03-19-2009, 09:53 PM
dnk
 
Default ssh - alternate ports, and host verification

I have a centos box that will need to ssh into 2 other centos boxes
(with keys). Now one of these boxes is a firewall, and another is a
system behind the firewall. I have rules in my firewall to punch into
the system behind the FW.

Now if i connect to the IP (sine the public one is shared), anytime i
connect to the other system, I get the host verification failed error
and have to remove the IP from the known_hosts file.

What is the best (secure) way to get around this? I know i can disable
the check, but that is not my preferred way.

Thanks.

d




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-19-2009, 10:01 PM
Jerry Franz
 
Default ssh - alternate ports, and host verification

dnk wrote:
> I have a centos box that will need to ssh into 2 other centos boxes
> (with keys). Now one of these boxes is a firewall, and another is a
> system behind the firewall. I have rules in my firewall to punch into
> the system behind the FW.
>
> Now if i connect to the IP (sine the public one is shared), anytime i
> connect to the other system, I get the host verification failed error
> and have to remove the IP from the known_hosts file.
>
> What is the best (secure) way to get around this? I know i can disable
> the check, but that is not my preferred way.
>
There are two ways to do it. The first way is to simply set the host
keys to be the same on all the boxes (copy the contents of the
/etc/ssh/*key* files from one box to all of the boxes). The other way is
to setup separate ssh_config files for each destination with different
known_host files and invoke ssh as 'ssh -F configfile1 host1', 'ssh -F
configfile2 host2', etc.

--
Benjamin Franz
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-19-2009, 10:03 PM
dnk
 
Default ssh - alternate ports, and host verification

On 19-Mar-09, at 4:01 PM, Jerry Franz wrote:

> dnk wrote:
>> I have a centos box that will need to ssh into 2 other centos boxes
>> (with keys). Now one of these boxes is a firewall, and another is a
>> system behind the firewall. I have rules in my firewall to punch into
>> the system behind the FW.
>>
>> Now if i connect to the IP (sine the public one is shared), anytime i
>> connect to the other system, I get the host verification failed error
>> and have to remove the IP from the known_hosts file.
>>
>> What is the best (secure) way to get around this? I know i can
>> disable
>> the check, but that is not my preferred way.
>>
> There are two ways to do it. The first way is to simply set the host
> keys to be the same on all the boxes (copy the contents of the
> /etc/ssh/*key* files from one box to all of the boxes). The other
> way is
> to setup separate ssh_config files for each destination with different
> known_host files and invoke ssh as 'ssh -F configfile1 host1', 'ssh -F
> configfile2 host2', etc.
>


Ok, and the way I just figured out that also works is:

If there are several different fingerprints in known_hosts for the
same host (IP), ssh will connect if at least one of them is correct.
So what you can do is

# 1.) move your known_hosts file to a different filename
mv .ssh/known_hosts .ssh/known_hosts.old
# 2.) connect to computer #1, so its host key is written to the (now
empty) known_hosts file
ssh you@yourfirstmachine -p port1
# 3.) add the new host key fingerprint to the old known_hosts file
cat .ssh/known_hosts >>.ssh/known_hosts.old
# 4.) remove the new known_hosts file
rm .ssh/known_hosts
# Now you should repeat steps 2-4 for each computer in you nated network
# At the end, you simply move the old known_hosts file with the added
keys back again
mv .ssh/known_hosts.old .ssh/known_hosts

Thanks!

d


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-19-2009, 10:07 PM
 
Default ssh - alternate ports, and host verification

Are these on the same ip, but different ports? I suggest setting up two different hostnames.

Russ
------Original Message------
From: dnk
Sender: centos-bounces@centos.org
To: CentOS Mailing list
ReplyTo: CentOS Mailing list
Sent: Mar 19, 2009 6:53 PM
Subject: [CentOS] ssh - alternate ports, and host verification

I have a centos box that will need to ssh into 2 other centos boxes
(with keys). Now one of these boxes is a firewall, and another is a
system behind the firewall. I have rules in my firewall to punch into
the system behind the FW.

Now if i connect to the IP (sine the public one is shared), anytime i
connect to the other system, I get the host verification failed error
and have to remove the IP from the known_hosts file.

What is the best (secure) way to get around this? I know i can disable
the check, but that is not my preferred way.

Thanks.

d




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Sent from my Verizon Wireless BlackBerry
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-19-2009, 10:19 PM
Dnk
 
Default ssh - alternate ports, and host verification

On 19-Mar-09, at 4:07 PM, russ@vshift.com wrote:

> Are these on the same ip, but different ports? I suggest setting up
> two different hostnames.
>
> Russ
> ------Original Message------
> From: dnk
> Sender: centos-bounces@centos.org
> To: CentOS Mailing list
> ReplyTo: CentOS Mailing list
> Sent: Mar 19, 2009 6:53 PM
> Subject: [CentOS] ssh - alternate ports, and host verification
>
> I have a centos box that will need to ssh into 2 other centos boxes
> (with keys). Now one of these boxes is a firewall, and another is a
> system behind the firewall. I have rules in my firewall to punch into
> the system behind the FW.
>
> Now if i connect to the IP (sine the public one is shared), anytime i
> connect to the other system, I get the host verification failed error
> and have to remove the IP from the known_hosts file.
>
> What is the best (secure) way to get around this? I know i can disable
> the check, but that is not my preferred way.
>
> Thanks.
>
> d
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
> Sent from my Verizon Wireless BlackBerry
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

Doh! Great idea.

D
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org