[sclug] Home wireless lan

Sat Oct 25 09:05:48 UTC 2003

There is one issue that I have come across that can be a pain when ssh'ing
in through a NAT box.

I have the draytek wireless/adsl/router/switch box and it is really nice to
use.

Not all boxes allow port translation, so if you want to avoid the hassle of
modifying your internal network, I would recommend getting a solution which
allows incoming ports to be translated to different ports on the internal
machines.

All my internal machines are running ssh, listening on port 22. I configured
my NAT box to redirect a range of ports, e.g. 9000-9005 to port 22 on the
appropriate machines.

The issue I have is:

The client outside the NAT will see the same ip address belonging to
different machines with different keys and you get this message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
...
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts2 to get rid of this
message.
Offending key in /home/me/.ssh/known_hosts2:3
RSA host key for www.polyzing.com has changed and you have requested strict
checking.

The problem is it thinks that someone else is masquerading as your server.

I believe that there are a number of ways to address this:

1) Set up a different domain name for each machine that all resolve to the
same ip address, e.g. one.polyzing.com, two.polyzing.com etc. This may give
you a warning still when you try to login.

2) Turn off strict checking of host keys. I haven't tried this, but it seems
a little dangerous.

3) Simply delete the known_hosts2 file each time you switch between hosts.
This is also a little dangerous.

4) Hypothesising now. Can I set up ssh v1 to refer to one machine and ssh v2
to refer to the other so that they don't clash?

5) Can I explicitly tell ssh to allow different host keys for different
ports on the same ip?

This seems like it would be a common problem and PuTTY under windows seems
fine with it.

Anyone know of a better way to fix this?

Regards,

Paul.

> -----Original Message-----
> From: sclug-admin at sclug.org.uk [mailto:sclug-admin at sclug.org.uk]On
> Behalf Of Tom Dawes-Gamble
> Sent: Thursday, July 17, 2003 6:45 PM
> To: suttont at onetel.net.uk
> Cc: Silcon Coridor Linux User Group
> Subject: Re: [sclug] Home wireless lan
>
>
> Hi Tim,
>
> 	Yes you can.  I can get you can.  In fact I was using one
> yesterday.
> The one thing wrong with it was each time you altered the config it
> rebooted.  :-(
>
> 	If required I can get some make and Modle number data for you.
>
> Tom.
>
>
>
>
> On Thu, 2003-07-17 at 07:29, Tim Sutton wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi
> >
> > Thanks. I actually meant if I install one of those blackbox
> access point /
> > router / firewall / cablesharing jobs, will I still be able to
> ssh in? I
> > realise I can to do it with ipcop / smoothwall / debian etc. firewall.
> >
> > Cheers
> >
> > Tim
> >
> > On Wednesday 16 July 2003 7:52 pm, Tom Dawes-Gamble wrote:
> > > On Wed, 2003-07-16 at 10:42, Tim Sutton wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > > I think if I was doing things today I'd go for an  ADSL wireless
> > > > > router. They mostly include
> > > > > Firewall, DHCP server and NAT.  All in one nice little box.   Far
> > > > > neater than my current solution
> > > > > of  ADSL modem -> IpCop firewall/router -> hub -> wireless hub.
> > > >
> > > > If I install one of these, is it still possible to ssh into
> my network
> > > > from elsewhere? I use dyndns at the moment to ssh into my
> laptop when I
> > > > am at work.
> > >
> > > Yes.   ON my IpCop Firewall I port forward ssh to system in my orange
> > > DMZ and then I have a pinhole that lets me get to a system on the
> > > protected network.
> > >
> > > dyndns should ofcourse point to the current IP address.
> > >
> > > Tom.
> >
> > - --
> > Get my public keys from:
> >
> > http://tim.suttonfamily.co.uk/modules.php?name=Content&pa=showpage&pid=2
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2 (GNU/Linux)
> >
> > iD8DBQE/FlBLWvXTJUo0BDoRAoppAJ9vCKNPHTqPu+nAFt8lV/g5rwBmaQCeIH+L
> > UgylGX4ABINmWYbgxAEMu0Y=
> > =AipI
> > -----END PGP SIGNATURE-----
> >
> --
> There are 10 sorts of people.
> Those that understand binary and those that don't!
>
>