[sclug] Home wireless lan

Tom Dawes-Gamble tmdg at tmdg.co.uk
Sat Oct 25 09:05:48 UTC 2003


On Thu, 2003-07-17 at 23:16, Paul Vanlint wrote:

> 
> All my internal machines are running ssh, listening on port 22. I configured
> my NAT box to redirect a range of ports, e.g. 9000-9005 to port 22 on the
> appropriate machines.
> 

I'm not sure it's a good thing to leave all of the systems open for ssh
from the big bad world outside.  It would be much better IMHO to have
one system you ssh to and use that as a staging post to the other
systems behind your firewall.

> The issue I have is:
> 
> The client outside the NAT will see the same ip address belonging to
> different machines with different keys and you get this message:
> 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> 
> The problem is it thinks that someone else is masquerading as your server.
> 
> I believe that there are a number of ways to address this:
> 
> 1) Set up a different domain name for each machine that all resolve to the
> same ip address, e.g. one.polyzing.com, two.polyzing.com etc. This may give
> you a warning still when you try to login.
> 

I think that would work AFAIK sssh only looks at the name you use. So
if you ssh to foo.polyzing.com it adds a key to your host file. If you
then ssh to foo you get a second copy of the same key.  If you then ssh
to the ip address you get a third copy.  

> 2) Turn off strict checking of host keys. I haven't tried this, but it seems
> a little dangerous.
> 
I've never tried that. But as you say it sounds dangerous.

> 3) Simply delete the known_hosts2 file each time you switch between hosts.
> This is also a little dangerous.
> 

You would get the new key added each time you log on.  But worst you
would never know if you had connected to the real system or a bogus one.

> 4) Hypothesising now. Can I set up ssh v1 to refer to one machine and ssh v2
> to refer to the other so that they don't clash?
> 

ssh v1 is insecure IIRC.

> 5) Can I explicitly tell ssh to allow different host keys for different
> ports on the same ip?
> 

I don't think so.

> This seems like it would be a common problem and PuTTY under windows seems
> fine with it.
> 
> Anyone know of a better way to fix this?
> 

Using differing host names would look like the best solution to me if
you *have* to have all hosts available to the outside world.

> Regards,
> 
> Paul.
> 
> > -----Original Message-----
> > From: sclug-admin at sclug.org.uk [mailto:sclug-admin at sclug.org.uk]On
> > Behalf Of Tom Dawes-Gamble
> > Sent: Thursday, July 17, 2003 6:45 PM
> > To: suttont at onetel.net.uk
> > Cc: Silcon Coridor Linux User Group
> > Subject: Re: [sclug] Home wireless lan
> >
> >
> > Hi Tim,
> >
> > 	Yes you can.  I can get you can.  In fact I was using one
> > yesterday.
> > The one thing wrong with it was each time you altered the config it
> > rebooted.  :-(
> >
> > 	If required I can get some make and Modle number data for you.
> >
> > Tom.
> >
> >
> >
> >
> > On Thu, 2003-07-17 at 07:29, Tim Sutton wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Hi
> > >
> > > Thanks. I actually meant if I install one of those blackbox
> > access point /
> > > router / firewall / cablesharing jobs, will I still be able to
> > ssh in? I
> > > realise I can to do it with ipcop / smoothwall / debian etc. firewall.
> > >
> > > Cheers
> > >
> > > Tim
> > >
> > > On Wednesday 16 July 2003 7:52 pm, Tom Dawes-Gamble wrote:
> > > > On Wed, 2003-07-16 at 10:42, Tim Sutton wrote:
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > > > I think if I was doing things today I'd go for an  ADSL wireless
> > > > > > router. They mostly include
> > > > > > Firewall, DHCP server and NAT.  All in one nice little box.   Far
> > > > > > neater than my current solution
> > > > > > of  ADSL modem -> IpCop firewall/router -> hub -> wireless hub.
> > > > >
> > > > > If I install one of these, is it still possible to ssh into
> > my network
> > > > > from elsewhere? I use dyndns at the moment to ssh into my
> > laptop when I
> > > > > am at work.
> > > >
> > > > Yes.   ON my IpCop Firewall I port forward ssh to system in my orange
> > > > DMZ and then I have a pinhole that lets me get to a system on the
> > > > protected network.
> > > >
> > > > dyndns should ofcourse point to the current IP address.
> > > >
> > > > Tom.
> > >
> > > - --
> > > Get my public keys from:
> > >
> > > http://tim.suttonfamily.co.uk/modules.php?name=Content&pa=showpage&pid=2
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.2 (GNU/Linux)
> > >
> > > iD8DBQE/FlBLWvXTJUo0BDoRAoppAJ9vCKNPHTqPu+nAFt8lV/g5rwBmaQCeIH+L
> > > UgylGX4ABINmWYbgxAEMu0Y=
> > > =AipI
> > > -----END PGP SIGNATURE-----
> > >
> > --
> > There are 10 sorts of people.
> > Those that understand binary and those that don't!
> >
> >
-- 
There are 10 sorts of people.
Those that understand binary and those that don't!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.tmdg.co.uk/pipermail/sclug/attachments/20030718/22aedfd5/attachment.bin


More information about the Sclug mailing list