General Questions

I have two servers, A and B, that are behind my m0n0wall firewall.  I have forwarded the WAN port 3000 to go to the ssh port (22) of A, and WAN port 4000 to go to the ssh port of B.  That works just fine, except that when connecting to B after having connected to A at some point in the past, ssh complains that the keys for B are already in the known_hosts file, and are pointing to server A!   It then refuses to log in.

Well, this is true.  Still, I want to be able to do this, so...

Anyone know any magic for getting ssh to not complain?  I know that I can simply erase the known_hosts file every time, but that is unacceptable to the users.  Seems to me that people accessing any load-balanced server using ssh would have this problem (through the load balanced ip, that is.)

I'm using openssh.

Any ideas appreciated!

From the WAn side your SSH client "believes" you have one machine running ssh. This is why your SSH client is complaining. Maybe you should acces your SSH using two different host names. Maybe by using two different dyndns names.........

Baddog, What Max said is true, however, there is a simple way to accomplish what you want. I ran into the same issue some years back managing several sites each with multiple servers behind NAT firewalls.


The key you are looking for is the "hostkeyalias" option in openssh. From the man page:

HostKeyAlias
             Specifies an alias that should be used instead of the real host name
             when looking up or saving the host key in the host key database
             files.  This option is useful for tunneling SSH connections or for
             multiple servers running on a single host.


Here is an example:

Let's say you had site A with a firewall address of 10.10.10.10. On the inside you have a dns server and a fileserver. Port 1111 on the firewall is forwarded to the fileserver and and port 2222 on the firewall is forwarded to the dns server.

First, create a ~/.ssh/config file and put this into it: (making changes for your IP addresses, host names and user names etc)

--[snip]--
Host siteafs
Hostname 10.10.10.10
HostKeyAlias fileserver.sitea.com
Port 1111
User username

Host siteadns
Hostname 10.10.10.10
HostKeyAlias dns.sitea.com
Port 2222
User username
--[snip]--


Now, from the command line, you can use the "Host" as a shortcut to ssh to one of the servers listed in your config file. For example, by typing:

username@workstation $ ssh siteadns

openssh will consult your ~/.ssh/config file, find the "Host" line with the name "siteadns", connect to the IP or dns name listed on the "HostName" line using the port listed on the "Port" line.

The username is optional but is nice if you log in to your servers as a different user than you are currently logged into your local workstation as. So, for example, you can even add this to your ~/.ssh/config file to connect to the same dns server as root just by sshing to a slightly different "Host":

--[snip]--
Host siteadnsroot
HostName 10.10.10.10
port 2222
user root
--[snip]--

The "CheckHostIP no" option might also be helpful if the servers are on a dynamic IP..

For more info on all the possible options that can go on the command line or in the config file, man 5 ssh_config

Hope this helps.

--
Bill Arlofski
Reverse Polarity, LLC