Yes, you can do the following:
1) use ssh to connect to gateway machine. It will ask tp put entry in
known_hosts or known_hosts2. Say yes, Then ^C back to prompt.
2) Edit the known hosts entry just added and comment it out.
3) Use ssh to connect to internal machine by giving gateway with port
Again, say yes and do a ^C to get back to promopt.
4) now you have 2 entries in known_hosts(2) for what looks like the
same host. Uncomment the first one and then add another name to
the second entry.
The name entered in 4) needs to be an alias for the gateway. If you can't
do this via DNS, then add a line for the gateway to your /etc/hosts file.
So it stays compatible with DNS, you should make sure the first machine
listed for the gateway is the FQDN. Do an nslookup IPADDR to get it. If
you make file resolve before dns in nsswitch.conf then it is a good idea
to make sure ALL entries in /etc/hosts have the FQDN first, followed by
aliases.
Now to make getting to the internal machine add a special entry to either
the system or your personal ssh_config file. It would have the alias name
and then the gateway and port to get to it.
So, you would end up with something like this:
We will assume the following for machine names and ip's for my example:
outmach 123.123.123.123 # Some external machine
home-gw 222.222.123.123 # DSL gateway machine
ignatius 192.168.100.5 # Internal IP for
ignatius
/etc/hosts on outmach add
222.222.123.123 IP-rev-FQDN home-gw home-ignatius
/etc/nsswitch.conf on outmach
hosts: files dns
You don't need this as long as names home-gw and home-ignatius don't
resolve in your domains via DNS. Even if they don't and it uses /etc/hosts,
anytime in the future they may and things would break, so I would recommend
using files first. Even then you need to make sure the first machine
name is the FQDN for the ip from a reverse nslookup. These will need to
be verified occasionally so they stay in sink with DNS.
After 1-3 above you would have known hosts like this on outmach.
home-gw,222.222.123.123 .... pub key info
home-gw,home-ignatius,222.222.123.123 .... pub key info
The final things is to make connecting easier by defining the special info
in ssh_config. So on outmach add these lines to the system config or
your personal one in ~/.ssh:
Host ignatius
Hostname home-ignatius
ForwardX11 yes
Protocol 2,1
RSAAuthentication yes
KeepAlive yes
Port 3022
These lines should be before the Host * defaults since it is the first
found that is used. I use Protocol 2 by default which is why I have
that line above, I also use KeepALive. You can change these to fit
your preferences, but the Host, Hostname and Port are needed. Change
3022 to the port you setup. Hostname is only needed if the name you give
ssh differs from the real name. This way you can ssh ignatius and
it will go through the GW on the port you defined.
If your ip address on the GW machine changes, you will need to hand edit
/etc/hosts, known_hosts, etc. to change info to the new ip address. If this
happens a lot, you can always automate it via scrips and ssh RSA/DSA Auth
with a limit to the command, whcih would do the ip address changes. Then
have the GW tell the remote host when the ip address changes. This is more
involved so I won't go into it here.
Good luck,
--Dave
> Date: Sun, 22 Oct 2000 12:09:02 -0400 (EDT)
> From: R Signes <[EMAIL PROTECTED]>
> Subject: known_hosts and port forwarding
>
> I've got a DSL line coming into my house. It goes into a linux box and
> that box IP masquerades for the rest of the house LAN.
>
> I have sshd running successfully on the masq'er (Router). I also set it
> up on a machine (Ignatius) inside the masquerading firewall and configured
> Router to forward a port to Ignatius' ssh port, so I can connect to
> ignatius from outside without having first to connect to Router.
>
> This confuses ssh, however. If I'm on another, external machine, and I
> use ssh to connect to Router, it saves that IP with its key in
> $HOME/.ssh/known_hosts -- but if I then use ssh to connect to Ignatius, it
> tries to read the same IP's key.
>
> Can't I make known_hosts keep track of port numbers as well? Is there a
> fix of some sort?
>
> rjbs
>
>
>
