[CentOS] ssh - alternate ports, and host verification

Thu Mar 19 23:03:48 UTC 2009
dnk <d.k.emaillists at gmail.com>

On 19-Mar-09, at 4:01 PM, Jerry Franz wrote:

> dnk wrote:
>> I have a centos box that will need to ssh into 2 other centos boxes
>> (with keys). Now one of these boxes is a firewall, and another is a
>> system behind the firewall. I have rules in my firewall to punch into
>> the system behind the FW.
>>
>> Now if i connect to the IP (sine the public one is shared), anytime i
>> connect to the other system, I get the host verification failed error
>> and have to remove the IP from the known_hosts file.
>>
>> What is the best (secure) way to get around this? I know i can  
>> disable
>> the check, but that is not my preferred way.
>>
> There are two ways to do it. The first way is to simply set the host
> keys to be the same on all the boxes (copy the contents of the
> /etc/ssh/*key* files from one box to all of the boxes). The other  
> way is
> to setup separate ssh_config files for each destination with different
> known_host files and invoke ssh as 'ssh -F configfile1 host1', 'ssh -F
> configfile2 host2', etc.
>


Ok, and the way I just figured out that also works is:

If there are several different fingerprints in known_hosts for the  
same host (IP), ssh will connect if at least one of them is correct.  
So what you can do is

# 1.) move your known_hosts file to a different filename
mv .ssh/known_hosts .ssh/known_hosts.old
# 2.) connect to computer #1, so its host key is written to the (now  
empty) known_hosts file
ssh you at yourfirstmachine -p port1
# 3.) add the new host key fingerprint to the old known_hosts file
cat .ssh/known_hosts >>.ssh/known_hosts.old
# 4.) remove the new known_hosts file
rm .ssh/known_hosts
# Now you should repeat steps 2-4 for each computer in you nated network
# At the end, you simply move the old known_hosts file with the added  
keys back again
mv .ssh/known_hosts.old .ssh/known_hosts

Thanks!

d