Bug#387376: ssh: Can't have different host keys for different ports but same address (NAT)
Package: ssh
Version: 1:4.3p2-3
Severity: normal
I have several PCs behind a NAT firewall.
I want to be able to ssh into any of them, going via a single
one is bad because I can't know which ones are up in advance.
So the NAT router forwards various ports to the different servers.
Unfortunately, ssh always check the hostkey against the IP
address only, and so it thinks there is a man-in-the-middle
attack when I try the second pc instead of the first.
Because then the key changes, but the ip address seems to not change.
But it really is another PC, because the port is different
and therefore forwarded to a different PC.
I appreciate the host key checking, but:
It should not be tied to ip address alone, it should
be tied to the ip:port pair. That will keep the security,
but now <same ip:differnet port> will be allowed to have
different host keys. <same ip:same port> will still not be allowed
to change its key.
I am not sure using the same host key everywhere will be good,
if one PC is compromised, then all is . . .
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (800, 'stable'), (700, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-rc6-mm2
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)
Versions of packages ssh depends on:
ii openssh-client 1:4.3p2-3 Secure shell client, an rlogin/rsh
ii openssh-server 1:4.3p2-3 Secure shell server, an rshd repla
ssh recommends no packages.
-- debconf-show failed
Reply to: