How to handle ssh host key verification with 2 dif

2019-02-02 09:59发布

问题:

I have 2 ssh servers behind a nat firewall at a location that changes its wan IP every day. They are always at the same wan IP address on a given time but on different ports.

I am connecting to server A this way:

ssh -p 22001 karl@x1.example.com

and to server B:

ssh -p 22002 karl@x2.example.com

So I get 2 different host keys for the same IP, and also when the IP changes even a different IP for the same host.

I have to go on deleting over and over the other key or the old key (in case of IP change) in the known_hosts file.

I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then). Is there a better solution?

This is related to my old question here but not the same:

SSH login warning message on a server with 2 DNS names

回答1:

I think this will work:

Create a config file in your .ssh directory as follows:

Host server1
  Hostname x1.example.com
  HostKeyAlias server1
  CheckHostIP no
  Port 22001
  User karl

Host server2
  Hostname x2.example.com
  HostKeyAlias server2
  CheckHostIP no
  Port 22002
  User karl

Explanation Below (from man ssh_config)

CheckHostIP

If this flag is set to "yes", ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to "no", the check will not be executed. The default is "yes".

HostKeyAlias

Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host.

The Username and Port line avoids you having to give those options on the command line, too, so you can just use:

% ssh server1
% ssh server2