Home / server / Questions / 141553
Accepted
Prody
Asked: 2010-05-14 07:35:35 +0800 CST

How to make ssh match known_hosts to host/ip:port instead of just host/ip?

  • 772

I have two machines behind a firewall, with the ssh ports forwarded to 2201 and 2202.

When I

ssh host -p 2201

it asks if I trust the machine, I say yes, it gets added to ~/.ssh/known_hosts

Then I 

ssh host -p 2202

It doesn't let me, because there's already an entry for this IP in ~/.ssh/known_host:1 (the file was empty when I started, so line 1 is the one added by the previous ssh run).

This happens on CentOS 5.4.

On other distros (I've tried Arch), it appears that ssh matches the known_hosts to the ports too, so I can have multiple fingerprints for multiple ports on the same host/ip without any problems.

How can I get this same behavior for CentOS?

I couldn't find anything in man ssh_config (or at least not without disabling fingerprint checking).

I've found a temporary solution. If the known_hosts file has more than one entry for the same IP, it will check all of them before concluding something is wrong. But I'd really hate this to be the solution.

ssh known-hosts

4 Answers

  1. ~/.ssh/config:

    Host foohost-2201
    Hostname foohost.domain.tld
    # This should comply with the format used in OpenSSH 5.
    HostkeyAlias "[foohost.domain.tld]:2201"
    User username
    Port 2201

    And seriously, upgrade.

    • 8
  2. Best Answer

    The version of OpenSSH that comes with CentOS 5 does not support port numbers in known_hosts. You will need to build and install a newer version if you want this to work.

    • 5

  3. Use this if your openssh client does not support host+port based entries:

    The directive 'GlobalKnownHostsFile' can be misused to point to a different file for each of your 2 firewalled machines (here Alice and Bob). However these two files have to be prepared with correct host keys of either alice or bob in advance as they are not written to when accepting unknown keys.

    It's not really fun to set up but once it's done it works.

    My previous workaround before this was 'StrictHostKeyChecking no' which does not allow ssh-agent to forward keys nor to have ports forwarded (blocked by openssh when used).

    My .ssh/config looked like this until recently:

    Host hoppingstation
        Hostname loginhost.somewhere.net
        User me
        LocalForward 2201 alice.somewhere.net:22
        LocalForward 2202 bob.somewhere.net:22
Host alice
        Hostname localhost
        Port 2201
        User root
        ForwardAgent yes
        GlobalKnownHostsFile /home/me/.ssh/known_hosts_alice
Host bob
        Hostname localhost
        Port 2202
        User root
        ForwardAgent yes
        GlobalKnownHostsFile /home/me/.ssh/known_hosts_bob
    • 4

  4. my solution; add detailed host information to ~/.ssh/config:

    Host <someidentifier>
    Hostname ip.add.re.ss
    StrictHostKeyChecking no
    User username
    Port 2201

Host <someotheridentifier>
    Hostname ip.add.re.ss
    StrictHostKeyChecking no
    User username
    Port 2202

    then you can do ssh someidentifier without even having to supply -p etc.

    • 1