On 19-Mar-09, at 4:01 PM, Jerry Franz wrote:
dnk wrote:
I have a centos box that will need to ssh into 2 other centos boxes (with keys). Now one of these boxes is a firewall, and another is a system behind the firewall. I have rules in my firewall to punch into the system behind the FW.
Now if i connect to the IP (sine the public one is shared), anytime i connect to the other system, I get the host verification failed error and have to remove the IP from the known_hosts file.
What is the best (secure) way to get around this? I know i can disable the check, but that is not my preferred way.
There are two ways to do it. The first way is to simply set the host keys to be the same on all the boxes (copy the contents of the /etc/ssh/*key* files from one box to all of the boxes). The other way is to setup separate ssh_config files for each destination with different known_host files and invoke ssh as 'ssh -F configfile1 host1', 'ssh -F configfile2 host2', etc.
Ok, and the way I just figured out that also works is:
If there are several different fingerprints in known_hosts for the same host (IP), ssh will connect if at least one of them is correct. So what you can do is
# 1.) move your known_hosts file to a different filename mv .ssh/known_hosts .ssh/known_hosts.old # 2.) connect to computer #1, so its host key is written to the (now empty) known_hosts file ssh you@yourfirstmachine -p port1 # 3.) add the new host key fingerprint to the old known_hosts file cat .ssh/known_hosts >>.ssh/known_hosts.old # 4.) remove the new known_hosts file rm .ssh/known_hosts # Now you should repeat steps 2-4 for each computer in you nated network # At the end, you simply move the old known_hosts file with the added keys back again mv .ssh/known_hosts.old .ssh/known_hosts
Thanks!
d