Jeffrey Altman <[EMAIL PROTECTED]> writes:
> > I am not sure that this is apropos for this conversation, but another
> > scenario that I run into is the fact that I run ssh on my
> > gateway/router/firewall machine and also port forwarding ssh to intranet
> > machines. So depending on the port I use, I ssh into different boxes
> > behind the firewall. SSH seems to give me a warning since it always appears
> > that I am ssh'ing into the same machine but it has different public keys
> > (different intranet machines) depending on the port.
>
> In other words you are authenticating against the wrong machine and
> SSH doesn't have a method to allow you to authenticate against the
> correct one.
Well, it is a little tricky to do this right, as long as ssh isn't
even told which machine you really want to talk to. It would be doable
to add a flag to say "I want to talk to a host with this particular
host key". Or to associate a hostkey with an identity of the type
fw_hostname:port.
Hmm... Perhaps you can even do that today, using aliases in the
.ssh/config file.
I believe the ssh-client uses the hostname exactly as passed on the
command line when looking up hostkeys, and that's it. So you could try
creating an alias "foohost" that maps to a particular port on the fw,
and hope that ssh uses the name foohost when searching for the right
key in .ssh/known_hosts. No, I haven't tried that.
You could get a similar effect by using extra CNAME:s in your dns or
/etc/hosts, I guess, but that's getting pretty kludgy.
Anyway, I think this problem is mostly an implementation issue, not a
protocol one.
/Niels
