I have 2 ssh servers behind a nat firewall at a location that changes its wan IP every day. They are always at the same wan IP address on a given time but on different ports.
I am connecting to server A this way:
ssh -p 22001 karl@x1.example.com
and to server B:
ssh -p 22002 karl@x2.example.com
So I get 2 different host keys for the same IP, and also when the IP changes even a different IP for the same host.
I have to go on deleting over and over the other key or the old key (in case of IP change) in the known_hosts file.
I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then). Is there a better solution?
This is related to my old question here but not the same:
SSH login warning message on a server with 2 DNS names
I think this will work:
Create a config
file in your .ssh
directory as follows:
Host server1
Hostname x1.example.com
HostKeyAlias server1
CheckHostIP no
Port 22001
User karl
Host server2
Hostname x2.example.com
HostKeyAlias server2
CheckHostIP no
Port 22002
User karl
Explanation Below (from man ssh_config
)
CheckHostIP
If this flag is set to
"yes", ssh(1) will additionally check
the host IP address in the known_hosts
file. This allows ssh to detect if a
host key changed due to DNS spoofing.
If the option is set to "no", the
check will not be executed. The
default is "yes".
HostKeyAlias
Specifies an alias that should be used instead of the real
host name when looking up or saving the host key in the host key
database files. This option is useful for tunneling SSH
connections or for multiple servers running on a single host.
The Username
and Port
line avoids you having to give those options on the command line, too, so you can just use:
% ssh server1
% ssh server2