Re: Two ssh servers on one IP?: Access by different names . . . . . [tlug]

[jep200404 <jep200404@example.com>]

Darren Cook wrote:

> I've a client with a firewall and two machines behind it, and I have an
> ssh account on both, and both are assigned to the same IP but different
> ports at the firewall. So I'd do:
>   ssh -p 1001 1.2.3.4
>   ssh -p 1002 1.2.3.4
> 
> The problem is that when I try the 2nd command, ssh very loudly tells me
> someone might be doing a man-in-the-middle attack, ...

Ssh's behavior is appropriate. It realizes the keys don't match. 

> ... and to set the correct key in ~/.ssh/known_hosts.  
> (I tried using "1.2.3.4:1001" and "1.2.3.4:1002" in known_hosts, 
> but they get ignored.)

Josh gave you one solution, I'll give you another that works for 
me in a similar situation. Instead of accessing the machines by raw IP, 
access them by different _names_. E.g., 

   ssh -p 1001 firewall
   ssh -p 1002 behind

Add two lines in /etc/hosts, something like: 

   1.2.3.4 firewall
   1.2.3.4 behind

For fun, go back and look at your known_hosts file. 

> Is my only option to edit known_hosts each time I want to switch the
> server I log in to? 

No, although I also used to do just that. 

> (or log in to one, then log in to the other using
> the private IP address)

No, although you can do that, it sure sucks. 

I'll have to try Josh's solution also some time.