Multiple host signatures connecting in through NAT

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I  have noticed a rather critical difference (to me at least) between
OpenSSH and the commercial SSH. OpenSSH associates a key with a
(hostname,ip) where as SSH uses a (resolved-hostname,port).

I looked into this as a result of trying to use port-redirection on a
NAT box to reach other machines behind the interface using
SSH/OpenSSH.  SSH(client) had no problems accepting the fact that
there are different keys on the same host (at different ports).
OpenSSH identified the man-in-the-middle alright; but then seemed to
want to change the recorded key for the host.

Is there a way to have OpenSSH work more like the commercial SSH with
regards to the port discrimination?

Andrew Bashere

Re: Multiple host signatures connecting in through NAT

Quoted text here. Click to load it

Kind of.  See the ssh_config man page for HostKeyAlias and CheckHostIP.

Basically, put this into ~/.ssh/config:

Host machine-behind-nat
    Hostname natbox
    HostKeyAlias machine-behind-nat
    CheckHostIP no

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline