On 19-Mar-09, at 4:01 PM, Jerry Franz wrote: > dnk wrote: >> I have a centos box that will need to ssh into 2 other centos boxes >> (with keys). Now one of these boxes is a firewall, and another is a >> system behind the firewall. I have rules in my firewall to punch into >> the system behind the FW. >> >> Now if i connect to the IP (sine the public one is shared), anytime i >> connect to the other system, I get the host verification failed error >> and have to remove the IP from the known_hosts file. >> >> What is the best (secure) way to get around this? I know i can >> disable >> the check, but that is not my preferred way. >> > There are two ways to do it. The first way is to simply set the host > keys to be the same on all the boxes (copy the contents of the > /etc/ssh/*key* files from one box to all of the boxes). The other > way is > to setup separate ssh_config files for each destination with different > known_host files and invoke ssh as 'ssh -F configfile1 host1', 'ssh -F > configfile2 host2', etc. >
Ok, and the way I just figured out that also works is: If there are several different fingerprints in known_hosts for the same host (IP), ssh will connect if at least one of them is correct. So what you can do is # 1.) move your known_hosts file to a different filename mv .ssh/known_hosts .ssh/known_hosts.old # 2.) connect to computer #1, so its host key is written to the (now empty) known_hosts file ssh y...@yourfirstmachine -p port1 # 3.) add the new host key fingerprint to the old known_hosts file cat .ssh/known_hosts >>.ssh/known_hosts.old # 4.) remove the new known_hosts file rm .ssh/known_hosts # Now you should repeat steps 2-4 for each computer in you nated network # At the end, you simply move the old known_hosts file with the added keys back again mv .ssh/known_hosts.old .ssh/known_hosts Thanks! d _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
