0

I have a Server behind a Port-forwarding Firewall.

Server <---> Firewall <------> NAT Port 222 | -----------> VPN

I can ssh per key into it from the VPN. Doing this on server:

sever:~> ssh-keygen -lf /etc/ssh/ssh_rsa_host_key

Shows the HOSTKEY

I try to ssh into it from the outside:

ssh server.external

Results in "REMOTE HOST IDENTIFICATION HAS CHANGED"

 The fingerprint for the RSA key sent by the remote host is HOSTKEY.EXTERN

The fingerprints HOSTKEY and HOSTKEY.EXTERN are different.

If I ssh into it via the VPN and its internal IP all is fine.

2 Questionts:

  1. Why are HOSTKEY.EXTERN and HOSTKEY fingerprints different?
  2. How can I check the reported host key from the outside?

EDIT: Answer to Part 2 and more strange findings:

I now did 'ssh-keyscan server' internally and externally, two different keys are the result.

ssh-keyscan server.external > server.external.keyscan ssh-keyscan server.internal > server.internal.keyscan

then I fingerprint those:

ssh-keygen -lf server.external.keyscan ssh-keygen -lf server.internal.keyscan

Two different fingerprints. I do not get it.

Improve this question

1 Answer 1

Reset to default
0

SSH is picky in that the hostname must match for a given key in known_hosts. Because you're accessing it from the outside, your SSH client is seeing the server coming from external.ip instead of its internal address.

The best way I can think of to fix is to have two keypairs - one for external access, and one for internal. This way both will be in known_hosts.

Improve this answer
5
  • I know why ssh is complaining, I do not know why these keys are different. Commented Apr 29, 2014 at 14:57
  • They aren't. It's complaining because SSH sees a different hostname than what it's supposed to be, which can signify a MITM attack even when it's not. Commented Apr 29, 2014 at 14:58
  • They are different. Or does the key fingerprint include the Hostname? Even the raw keys (the part after ssh-rsa) is different... Commented Apr 29, 2014 at 15:04
  • If the actual key is different that may be a sign you are seeing a MITM somewhere. Are you using different clients from inside vs outside? You might be getting the ecdsa key in one location and the rsa key in another? You could have a new client in one of those locations? Commented Apr 29, 2014 at 16:42
  • BTW, you might consider setting two config in your ssh config file ~/.ssh/config. One for the external, and one for the internal. Within both entries specify a HostKeyAlias. Commented Apr 29, 2014 at 16:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.