Don't write to known_hosts

07/11/2006, 09h27

Dear All,

The system administrator at my workplace here has done something that gave
me a great deal of mess every time I try to SSH login from Linux.

He has made some kind of port forwarding on a gateway host to protect some
internal hosts behind. To SSH access the various hosts behind, I am asked
to SSH to the gateway host, and a set of ports have been set aside which
map to port 22 for each server behind.

I think you can guess what the problem is. Due to different keys of each
host, every time I need to connect to another host through another port I
always need to go to known_hosts on my desktop machine to remove the line
corresponding to the gateway host, otherwise there will be a key mismatch
error preventing me from logging in further.

I think there ought to be better ways to handle this, but as a software
developer instead of an admin I am not aware if better methods exist. Or,
can we simply prevent the SSH client from writing to known_hosts?

The machines (desktop and servers) are all Linux machines and are all
using openssh. I'm pretty sure somebody may have experienced this in
the past, but I can find nothing useful on the Web. Thank you.

Regards,
Bernard Chan.

--
Posted via a free Usenet account from http://www.teranews.com

07/11/2006, 18h51

>>>>> "BC" == Bernard Chan <cbkihong@hotmail.com> writes:

BC> Dear All,

BC> The system administrator at my workplace here has done something
BC> that gave me a great deal of mess every time I try to SSH login
BC> from Linux.

BC> He has made some kind of port forwarding on a gateway host to
BC> protect some internal hosts behind. To SSH access the various
BC> hosts behind, I am asked to SSH to the gateway host, and a set of
BC> ports have been set aside which map to port 22 for each server
BC> behind.

BC> I think you can guess what the problem is. Due to different keys
BC> of each host, every time I need to connect to another host through
BC> another port I always need to go to known_hosts on my desktop
BC> machine to remove the line corresponding to the gateway host,
BC> otherwise there will be a key mismatch error preventing me from
BC> logging in further.

BC> I think there ought to be better ways to handle this, but as a
BC> software developer instead of an admin I am not aware if better
BC> methods exist. Or, can we simply prevent the SSH client from
BC> writing to known_hosts?

BC> The machines (desktop and servers) are all Linux machines and are
BC> all using openssh. I'm pretty sure somebody may have experienced
BC> this in the past, but I can find nothing useful on the Web. Thank
BC> you.

BC> Regards, Bernard Chan.

BC> -- Posted via a free Usenet account from http://www.teranews.com

[~/.ssh/config]

host foo
hostname gateway
port 1

host bar
hostname gateway
port 2

....

--
Richard Silverman
res@qoxp.net

26/11/2006, 12h25

On 2006-11-07, Richard E. Silverman <res@qoxp.net> wrote:
>>>>>> "BC" == Bernard Chan <cbkihong@hotmail.com> writes:
> BC> He has made some kind of port forwarding on a gateway host to
> BC> protect some internal hosts behind. To SSH access the various
> BC> hosts behind, I am asked to SSH to the gateway host, and a set of
> BC> ports have been set aside which map to port 22 for each server
> BC> behind.
[...]
> [~/.ssh/config]
>
> host foo
> hostname gateway
> port 1
>
> host bar
> hostname gateway
> port 2

If you're using OpenSSH, also see HostKeyAlias (it's in most versions).
If you're using a 4.4x client or newer, it will append the port number
to the host identifier when you use a nonstandard port.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

07/11/2006, 09h27	#1
Bernard Chan Messages: n/a Hébergeur:	Don't write to known_hosts Dear All, The system administrator at my workplace here has done something that gave me a great deal of mess every time I try to SSH login from Linux. He has made some kind of port forwarding on a gateway host to protect some internal hosts behind. To SSH access the various hosts behind, I am asked to SSH to the gateway host, and a set of ports have been set aside which map to port 22 for each server behind. I think you can guess what the problem is. Due to different keys of each host, every time I need to connect to another host through another port I always need to go to known_hosts on my desktop machine to remove the line corresponding to the gateway host, otherwise there will be a key mismatch error preventing me from logging in further. I think there ought to be better ways to handle this, but as a software developer instead of an admin I am not aware if better methods exist. Or, can we simply prevent the SSH client from writing to known_hosts? The machines (desktop and servers) are all Linux machines and are all using openssh. I'm pretty sure somebody may have experienced this in the past, but I can find nothing useful on the Web. Thank you. Regards, Bernard Chan. -- Posted via a free Usenet account from http://www.teranews.com

07/11/2006, 18h51	#2
Richard E. Silverman Messages: n/a Hébergeur:	Re: Don't write to known_hosts >>>>> "BC" == Bernard Chan <cbkihong@hotmail.com> writes: BC> Dear All, BC> The system administrator at my workplace here has done something BC> that gave me a great deal of mess every time I try to SSH login BC> from Linux. BC> He has made some kind of port forwarding on a gateway host to BC> protect some internal hosts behind. To SSH access the various BC> hosts behind, I am asked to SSH to the gateway host, and a set of BC> ports have been set aside which map to port 22 for each server BC> behind. BC> I think you can guess what the problem is. Due to different keys BC> of each host, every time I need to connect to another host through BC> another port I always need to go to known_hosts on my desktop BC> machine to remove the line corresponding to the gateway host, BC> otherwise there will be a key mismatch error preventing me from BC> logging in further. BC> I think there ought to be better ways to handle this, but as a BC> software developer instead of an admin I am not aware if better BC> methods exist. Or, can we simply prevent the SSH client from BC> writing to known_hosts? BC> The machines (desktop and servers) are all Linux machines and are BC> all using openssh. I'm pretty sure somebody may have experienced BC> this in the past, but I can find nothing useful on the Web. Thank BC> you. BC> Regards, Bernard Chan. BC> -- Posted via a free Usenet account from http://www.teranews.com [~/.ssh/config] host foo hostname gateway port 1 host bar hostname gateway port 2 .... -- Richard Silverman res@qoxp.net

26/11/2006, 12h25	#3
Darren Tucker Messages: n/a Hébergeur:	Re: Don't write to known_hosts On 2006-11-07, Richard E. Silverman <res@qoxp.net> wrote: >>>>>> "BC" == Bernard Chan <cbkihong@hotmail.com> writes: > BC> He has made some kind of port forwarding on a gateway host to > BC> protect some internal hosts behind. To SSH access the various > BC> hosts behind, I am asked to SSH to the gateway host, and a set of > BC> ports have been set aside which map to port 22 for each server > BC> behind. [...] > [~/.ssh/config] > > host foo > hostname gateway > port 1 > > host bar > hostname gateway > port 2 If you're using OpenSSH, also see HostKeyAlias (it's in most versions). If you're using a 4.4x client or newer, it will append the port number to the host identifier when you use a nonstandard port. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email