Connecting to 2 machines with the same IP - SSH

This is a discussion on Connecting to 2 machines with the same IP - SSH ; Hi all, At home, I've got 2 machine on my LAN, connected to the Net through a routeur, thus sharing the same IP address. I'm using NAT port forwarding, such that the router redirects port 22 from its public interface ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Connecting to 2 machines with the same IP

  1. Connecting to 2 machines with the same IP

    Hi all,

    At home, I've got 2 machine on my LAN, connected to the Net through a
    routeur, thus sharing the same IP address. I'm using NAT port forwarding,
    such that the router redirects port 22 from its public interface to port 22
    of machine A, and port 10022 to port 22 of B :

    22 -> 22
    Net ----- NATbox +--- A
    +----B
    10022 -> 22

    I often need to connect form the Net to both machine A and B. Unfortunately,
    I allways have a warning, since there are 2 machine with the same IP, that
    the certificate asociated to this IP has changed.

    Is there any way to have two certificates associated with the same IP in
    ~/.ssh/know_hosts ?

    Manuel.

  2. Re: Connecting to 2 machines with the same IP

    mpg wrote:
    > Is there any way to have two certificates associated with the same IP in
    > ~/.ssh/know_hosts ?


    What I do in this situation is to hack round it in a nasty way, by
    setting up a .ssh/config entry for one of the machines which goes
    something like

    Host machineB
    HostName some.name.which.is.not.a.real.DNS.name
    ProxyCommand nc -q0 the.real.dns.name 10022

    Then ssh will think it's connecting to the name you provided under
    `HostName', and will cache the host key under that name; but in
    reality it will run `nc' to make its network connection, which will
    connect to somewhere completely different.

    Of course, you'll need nc installed, or some equivalent program.

    (PuTTY caches a separate host key for each host,port combination
    instead of just one per host, which would solve this problem more
    simply. But there are any number of perfectly good reasons you might
    not want to switch to using Unix PuTTY for this job, of course.)
    --
    for k in [pow(x,37,0x13AC59F3ECAC3127065A9) for x in [0x195A0BCE1C2F0310B43C,
    0x73A0CE584254AB23D5A0, 0x12878657EA814421CC92, 0x7373445BB3DA69996F4A,
    0x77A7ED5BC3AA700E80B2, 0xE9C71C94ED87ADCF7367, 0xFE920395F414C1A5DB50]]:
    print "".join([chr(32+3*((k>>x)&1))for x in range(79)]) #

  3. Re: Connecting to 2 machines with the same IP

    mpg schrieb:
    > Hi all,
    >
    > At home, I've got 2 machine on my LAN, connected to the Net through a
    > routeur, thus sharing the same IP address. I'm using NAT port forwarding,
    > such that the router redirects port 22 from its public interface to port 22
    > of machine A, and port 10022 to port 22 of B :
    >
    > 22 -> 22
    > Net ----- NATbox +--- A
    > +----B
    > 10022 -> 22
    >
    > I often need to connect form the Net to both machine A and B. Unfortunately,
    > I allways have a warning, since there are 2 machine with the same IP, that
    > the certificate asociated to this IP has changed.
    >
    > Is there any way to have two certificates associated with the same IP in
    > ~/.ssh/know_hosts ?
    >
    > Manuel.



    Have you tried to put

    Host HostA
    HostName Name.of.Router # or IP of Router
    Port 22
    HostKeyAlias HostA

    Host HostB
    HostName Name.of.Router # or IP of Router
    Port 10022
    HostKeyAlias HostB

    into your .ssh/config and then simply

    ssh HostA
    or
    ssh HostB

    to connect?
    You could read man ssh_config to understand this.

    Wolfgang

  4. Re: Connecting to 2 machines with the same IP

    Le (on) mercredi 07 novembre 2007 18:28, Wolfgang Meiners a écrit (wrote) :
    > Have you tried to put
    >
    > Host HostA
    > HostName Name.of.Router # or IP of Router
    > Port 22
    > HostKeyAlias HostA
    >
    > Host HostB
    > HostName Name.of.Router # or IP of Router
    > Port 10022
    > HostKeyAlias HostB
    >
    > into your .ssh/config and then simply
    >

    Obviously, I didn't This HostKeyAlias option is exactly what I was
    looking for. Thank you. I'm going to add the HostKeyAlias to my .ssh/config
    immediatly!

    > You could read man ssh_config to understand this.
    >

    Well, I didn't read it completely...

    Manuel


  5. Re: Connecting to 2 machines with the same IP

    mpg wrote:

    > Obviously, I didn't This HostKeyAlias option is exactly what I was
    > looking for. Thank you. I'm going to add the HostKeyAlias to my
    > .ssh/config immediatly!
    >

    By the way, I also had to use the 'CheckHostIP no' option, otherwise ssh
    would insist on storing a key for the IP in .ssh/know-hosts while
    connecting on the 1st machine, and then would complain about an offending
    key for this IP when connecting to the 2nd machine.

    Since I added this CheckHostIP and manually deleted the key associated to
    the IP in know-hosts, it works perfectly fine. Unfornetunately, it makes me
    sensitive to DNS spoofing attacks, but I hope it's not too big an issue.

    Manuel.

  6. Re: Connecting to 2 machines with the same IP

    On 8 Nov, 13:16, mpg wrote:
    > mpg wrote:
    > > Obviously, I didn't This HostKeyAlias option is exactly what I was
    > > looking for. Thank you. I'm going to add the HostKeyAlias to my
    > > .ssh/config immediatly!

    >
    > By the way, I also had to use the 'CheckHostIP no' option, otherwise ssh
    > would insist on storing a key for the IP in .ssh/know-hosts while
    > connecting on the 1st machine, and then would complain about an offending
    > key for this IP when connecting to the 2nd machine.
    >
    > Since I added this CheckHostIP and manually deleted the key associated to
    > the IP in know-hosts, it works perfectly fine. Unfornetunately, it makes me
    > sensitive to DNS spoofing attacks, but I hope it's not too big an issue.
    >
    > Manuel.


    The faster and easier option is to give both machines the same SSH
    keys.


  7. Re: Connecting to 2 machines with the same IP

    Nico wrote:
    > The faster and easier option is to give both machines the same SSH
    > keys.


    But only if there's nothing either machine could gain by pretending
    to be the other.

    If they're on the same LAN in the same person's home, they're
    presumably run by the same administrator and hence there isn't an
    _interpersonal_ trust issue. But even so, there may be a question of
    separate security zones: if (for example) one machine is at greater
    risk of cracking (due to running some sort of public service, or a
    more potentially vulnerable OS) and the other contains any sensitive
    data to which the first doesn't already have access, then you might
    want to preserve the security boundary between them, and that means
    not giving either one the other's private host key.

    I wouldn't give two machines the same host key unless they already
    had universal trust paths between them, e.g. two basically
    interchangeable hosts in a cluster. Fortunately, this is also the
    only situation in which I'd be tempted to: in such a cluster I might
    attempt round-robin or load-balancing DNS, with the effect that
    users couldn't predict which machine they'd end up connecting to and
    hence which host key (if they were different) to expect.
    --
    Simon Tatham "What a caterpillar calls the end of the
    world, a human calls a butterfly."

  8. Re: Connecting to 2 machines with the same IP

    On Nov 8, 11:27 am, Simon Tatham wrote:
    > Nico wrote:
    > > The faster and easier option is to give both machines the same SSH
    > > keys.

    >
    > But only if there's nothing either machine could gain by pretending
    > to be the other.
    >
    > If they're on the same LAN in the same person's home, they're
    > presumably run by the same administrator and hence there isn't an
    > _interpersonal_ trust issue. But even so, there may be a question of
    > separate security zones: if (for example) one machine is at greater
    > risk of cracking (due to running some sort of public service, or a
    > more potentially vulnerable OS) and the other contains any sensitive
    > data to which the first doesn't already have access, then you might
    > want to preserve the security boundary between them, and that means
    > not giving either one the other's private host key.
    >
    > I wouldn't give two machines the same host key unless they already
    > had universal trust paths between them, e.g. two basically
    > interchangeable hosts in a cluster. Fortunately, this is also the
    > only situation in which I'd be tempted to: in such a cluster I might
    > attempt round-robin or load-balancing DNS, with the effect that
    > users couldn't predict which machine they'd end up connecting to and
    > hence which host key (if they were different) to expect.
    > --
    > Simon Tatham "What a caterpillar calls the end of the
    > world, a human calls a butterfly."


    The MAC addresses will differ, maybe you could use that?


  9. Re: Connecting to 2 machines with the same IP

    On 8 Nov, 21:03, Hexalon wrote:
    > On Nov 8, 11:27 am, Simon Tatham wrote:
    >
    >
    >
    >
    >
    > > Nico wrote:
    > > > The faster and easier option is to give both machines the same SSH
    > > > keys.

    >
    > > But only if there's nothing either machine could gain by pretending
    > > to be the other.

    >
    > > If they're on the same LAN in the same person's home, they're
    > > presumably run by the same administrator and hence there isn't an
    > > _interpersonal_ trust issue. But even so, there may be a question of
    > > separate security zones: if (for example) one machine is at greater
    > > risk of cracking (due to running some sort of public service, or a
    > > more potentially vulnerable OS) and the other contains any sensitive
    > > data to which the first doesn't already have access, then you might
    > > want to preserve the security boundary between them, and that means
    > > not giving either one the other's private host key.

    >
    > > I wouldn't give two machines the same host key unless they already
    > > had universal trust paths between them, e.g. two basically
    > > interchangeable hosts in a cluster. Fortunately, this is also the
    > > only situation in which I'd be tempted to: in such a cluster I might
    > > attempt round-robin or load-balancing DNS, with the effect that
    > > users couldn't predict which machine they'd end up connecting to and
    > > hence which host key (if they were different) to expect.
    > > --
    > > Simon Tatham "What a caterpillar calls the end of the
    > > world, a human calls a butterfly."

    >
    > The MAC addresses will differ, maybe you could use that?- Hide quoted text -
    >
    > - Show quoted text -


    You can't see the internal MAC addresses from outside the household
    NAT. Or are you suggesting something else?


+ Reply to Thread