12

I have two machines behind a firewall, with the ssh ports forwarded to 2201 and 2202.

When I

ssh host -p 2201

it asks if I trust the machine, I say yes, it gets added to ~/.ssh/known_hosts

Then I 

ssh host -p 2202

It doesn't let me, because there's already an entry for this IP in ~/.ssh/known_host:1 (the file was empty when I started, so line 1 is the one added by the previous ssh run).

This happens on CentOS 5.4.

On other distros (I've tried Arch), it appears that ssh matches the known_hosts to the ports too, so I can have multiple fingerprints for multiple ports on the same host/ip without any problems.

How can I get this same behavior for CentOS?

I couldn't find anything in man ssh_config (or at least not without disabling fingerprint checking).

I've found a temporary solution. If the known_hosts file has more than one entry for the same IP, it will check all of them before concluding something is wrong. But I'd really hate this to be the solution.

Improve this question

4 Answers 4

Reset to default
5

The version of OpenSSH that comes with CentOS 5 does not support port numbers in known_hosts. You will need to build and install a newer version if you want this to work.

Improve this answer
9

~/.ssh/config:

 Host foohost-2201 Hostname foohost.domain.tld # This should comply with the format used in OpenSSH 5. HostkeyAlias "[foohost.domain.tld]:2201" User username Port 2201

And seriously, upgrade.

Improve this answer
1
  • I did yum update, but aparently that's what's in the repos for the latest CentOS. CentOS 5.5 is out today, will see about that. Commented May 14, 2010 at 9:46
4

Use this if your openssh client does not support host+port based entries:

The directive 'GlobalKnownHostsFile' can be misused to point to a different file for each of your 2 firewalled machines (here Alice and Bob). However these two files have to be prepared with correct host keys of either alice or bob in advance as they are not written to when accepting unknown keys.

It's not really fun to set up but once it's done it works.

My previous workaround before this was 'StrictHostKeyChecking no' which does not allow ssh-agent to forward keys nor to have ports forwarded (blocked by openssh when used).

My .ssh/config looked like this until recently:

Host hoppingstation Hostname loginhost.somewhere.net User me LocalForward 2201 alice.somewhere.net:22 LocalForward 2202 bob.somewhere.net:22 Host alice Hostname localhost Port 2201 User root ForwardAgent yes GlobalKnownHostsFile /home/me/.ssh/known_hosts_alice Host bob Hostname localhost Port 2202 User root ForwardAgent yes GlobalKnownHostsFile /home/me/.ssh/known_hosts_bob
Improve this answer
1
  • 4
    Clever. Horribly wrong, but clever. :) Commented Nov 24, 2010 at 0:00
1

my solution; add detailed host information to ~/.ssh/config:

Host <someidentifier> Hostname ip.add.re.ss StrictHostKeyChecking no User username Port 2201 Host <someotheridentifier> Hostname ip.add.re.ss StrictHostKeyChecking no User username Port 2202

then you can do ssh someidentifier without even having to supply -p etc.

Improve this answer
3
  • 1
    This is unacceptable because I don't want to disable key checking. Commented May 13, 2010 at 16:32
  • sorry i didn't read that in your question. you're left with the option of downloading the source for OpenSSH and modifying it heavily then. there does not seem to be a compile-time option to enable per port host keys. i guess my followup question would be; why is 1 host, with multiple ports, giving a different hostkey? if each port, through port forwarding and whatnot, leads to different hosts, why not share the hostkey with each host, there's nothing 'wrong' with that, and it would prevent the error. Commented May 13, 2010 at 16:38
  • @Prody this site; fixunix.com/ssh/73420-including-port-number-known_hosts.html also indicates someone with a similar issue, and they hand-edit ~/.ssh/known_hosts to add multiple keys for the same hostname. maybe that will work? Commented May 13, 2010 at 17:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.