10

I have two machines behind a firewall, with the ssh ports forwarded to 2201 and 2202.

When I

ssh host -p 2201

it asks if I trust the machine, I say yes, it gets added to ~/.ssh/known_hosts

Then I 

ssh host -p 2202

It doesn't let me, because there's already an entry for this IP in ~/.ssh/known_host:1 (the file was empty when I started, so line 1 is the one added by the previous ssh run).

This happens on CentOS 5.4.

On other distros (I've tried Arch), it appears that ssh matches the known_hosts to the ports too, so I can have multiple fingerprints for multiple ports on the same host/ip without any problems.

How can I get this same behavior for CentOS?

I couldn't find anything in man ssh_config (or at least not without disabling fingerprint checking).

I've found a temporary solution. If the known_hosts file has more than one entry for the same IP, it will check all of them before concluding something is wrong. But I'd really hate this to be the solution.

Adrian Frühwirth
  • 356
  • 5
  • 16
Prody
  • 603
  • 3
  • 7
  • 16

4 Answers4

8

~/.ssh/config:

Host foohost-2201
    Hostname foohost.domain.tld
    # This should comply with the format used in OpenSSH 5.
    HostkeyAlias "[foohost.domain.tld]:2201"
    User username
    Port 2201

And seriously, upgrade.

user1686
  • 8,717
  • 25
  • 38
  • I did yum update, but aparently that's what's in the repos for the latest CentOS. CentOS 5.5 is out today, will see about that. – Prody May 14 '10 at 09:46
5

The version of OpenSSH that comes with CentOS 5 does not support port numbers in known_hosts. You will need to build and install a newer version if you want this to work.

Ignacio Vazquez-Abrams
  • 45,019
  • 5
  • 78
  • 84
4

Use this if your openssh client does not support host+port based entries:

The directive 'GlobalKnownHostsFile' can be misused to point to a different file for each of your 2 firewalled machines (here Alice and Bob). However these two files have to be prepared with correct host keys of either alice or bob in advance as they are not written to when accepting unknown keys.

It's not really fun to set up but once it's done it works.

My previous workaround before this was 'StrictHostKeyChecking no' which does not allow ssh-agent to forward keys nor to have ports forwarded (blocked by openssh when used).

My .ssh/config looked like this until recently:

Host hoppingstation
        Hostname loginhost.somewhere.net
        User me
        LocalForward 2201 alice.somewhere.net:22
        LocalForward 2202 bob.somewhere.net:22
Host alice
        Hostname localhost
        Port 2201
        User root
        ForwardAgent yes
        GlobalKnownHostsFile /home/me/.ssh/known_hosts_alice
Host bob
        Hostname localhost
        Port 2202
        User root
        ForwardAgent yes
        GlobalKnownHostsFile /home/me/.ssh/known_hosts_bob
chris
  • 41
  • 2
1

my solution; add detailed host information to ~/.ssh/config:

Host <someidentifier>
    Hostname ip.add.re.ss
    StrictHostKeyChecking no
    User username
    Port 2201

Host <someotheridentifier>
    Hostname ip.add.re.ss
    StrictHostKeyChecking no
    User username
    Port 2202

then you can do ssh someidentifier without even having to supply -p etc.

cpbills
  • 2,692
  • 17
  • 12
  • This is unacceptable because I don't want to disable key checking. – Prody May 13 '10 at 16:32
  • sorry i didn't read that in your question. you're left with the option of downloading the source for OpenSSH and modifying it heavily then. there does not seem to be a compile-time option to enable per port host keys. i guess my followup question would be; why is 1 host, with multiple ports, giving a different hostkey? if each port, through port forwarding and whatnot, leads to different hosts, why not share the hostkey with each host, there's nothing 'wrong' with that, and it would prevent the error. – cpbills May 13 '10 at 16:38
  • @Prody this site; http://fixunix.com/ssh/73420-including-port-number-known_hosts.html also indicates someone with a similar issue, and they hand-edit `~/.ssh/known_hosts` to add multiple keys for the same hostname. maybe that will work? – cpbills May 13 '10 at 17:04