tags:

views:

330

answers:

3
+2  Q: 

SSH login warning message on a server with 2 DNS names

I am doing ssh to server x1.example.com from a laptop sometimes from outside and sometimes from lan. From lan I just say 

ssh karl@x1

and from wan:

ssh [email protected]

But from lan I get always a warning: remote host identification has changed.

I can delete the other key in the known_hosts file each time, but I was wondering if there is a better solution.

I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then)

+1  A: 

I think it is actually one name, technically.

Assign a second host name (maybe via your hosts file) to access your server from the WAN: E.g.: 

ssh [email protected]

I access a server via ssh with two different names (same IP) with no warnings. E.g.: name1.example.com and name2.example.com

Stu Thompson  2009-03-30 11:20:07
this is funny. thank you. i choosed the same name trying to avoid this problem.
Karl Thorwald  2009-03-30 11:53:26
If box x1 on the LAN and x1.example.com on the WAN resolve to a single IP then you don't need any of this! Just ssh [email protected]. (PS: If this works, don't forget to mark the answer as correct!)
Stu Thompson  2009-03-30 12:16:54
+2  A: 

In known_hosts file you can list several names and even IP's for one key, for example:

x1,x1wan.example.com,192.168.0.134,23.41.51.23 ssh-rsa AAAA/bunch/of/gibberish/looking/data/==

But it is not your problem here. If you have a warning that host identification has changed it really means that. It means that between a moment of your first connection to this host from lan and now, somebody regenerated a host key for this host, for example while reinstalling the OS. Or that you have a man-in-the-middle attack.

Confirm with your admin that a host was reinstalled and host key regenerated and then remove old key from your known_hosts file. Next time you connect you'll add a new, correct key to known_hosts file and this warning will go away.

Tometzky  2009-03-30 14:05:32
A: 

Thank you very much for your answers.

Sorry folks, I lost my cookie based login and cannot rate or edit anymore. Your questions helped me to get around the problem when I change from LAN to WAN. I regard this question as solved.

But now I see the problem goes even deeper because I also have 2 hosts on the same IP, and the IP also changes, which I am covering (from my new account which I cannot loose anymore) in a new question with more details:

http://stackoverflow.com/questions/733753/how-to-handle-ssh-host-key-verification-with-2-different-hosts-on-the-same-but-c

 2009-04-09 11:11:29

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security