incorrect "host key changed" for multi-sshd localhost

From: Ian! D. Allen (idallen@freenet.carleton.ca)
Date: 11/16/02 

From: idallen@freenet.carleton.ca (Ian! D. Allen)
Date: Sat, 16 Nov 2002 08:53:09 +0000 (UTC)

I have several machines at my College that set up reverse ssh tunnels
back to themselves via "ssh -R 123x:localhost:22 idallen.com". This means
idallen.com effectively has an sshd listening on several 123x ports.

On idallen.com, the first time I connect to one of these localhost ports,
e.g. "ssh -p 1231 localhost", ssh puts an entry in .ssh/known_hosts for
"localhost"; but, of course, the key that is put there is the host key
for one of my *remote* machines, listening on port 1231.

The second time I connect to one of these localhost ports, but a
different port (different remote machine), e.g. "ssh -p 1232 localhost",
ssh complains that the host key for "localhost" has changed and refuses
to do various things.

In fact, neither of these host keys is the actual "localhost" key -
both host keys are keys of remote sshd on remote machines at the College.

I have written a silly shell script that removes the "localhost" key
before calling ssh; but, surely there is a better way to get ssh to
record different keys on different ports as different entries in the
known_hosts file? (Or perhaps ssh needs to record host key using
something other than the host name on the command line...)

Ideas? 

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada   idallen@ncf.ca
       Home Page on the Ottawa FreeNet: http://www.ncf.ca/~aa610/
       College professor at: http://www.algonquincollege.com/~alleni/
       Board Member, TeleCommunities CANADA  http://www.tc.ca/

Relevant Pages

  • incorrect "host key changed" for multi-sshd localhost
    ... I have several machines at my College that set up reverse ssh tunnels ... On idallen.com, the first time I connect to one of these localhost ports, ... ssh complains that the host key for "localhost" has changed and refuses ...
    (comp.security.ssh)
  • Re: CONNECTION REFUSED
    ... > ports X_x When I try to SSH 192.168.0.168 from another computer it says ... > localhost". ... I'm assuming this is a firewall problem? ...
    (comp.os.linux.security)
  • Weird behavior with -stable
    ... Now for the past few days, in the evening this box stops responding to imap, http, and ... other ports. ... Weirdly, it is still responding to ssh, but gives the wrong host key and/or ...
    (freebsd-stable)
  • Re: sshd brute force attempts?
    ... I think you misunderstood what I meant by public service, or maybe it wasn't clear: By a public service I mean a service available for anyone, even anonymously: You're not going to register the world to let people send mail to your server, require authentication to send mail from your server). ... If this is stored on a usb-stick the user carries with him, or only on systems that require local authentication first, then I think you're better off than password based ssh. ... Cracklib is in ports and easy to build -- FreeBSD could use a) an option in make.conf to prevent passwd from getting built on a buildworld and b) the patched passwd/yppasswd tree in ports. ... I don't assume that level of savvy. ...
    (freebsd-questions)
  • Re: Prot Forwarding
    ... Al's SSH method would be the best. ... configure the remote control programs to use different ports on each ... that let you configure the ports in use. ... > Personally I use a Secure Shell tunnel to access multiple XP Pro ...
    (microsoft.public.windowsxp.network_web)