I have a Server behind a Port-forwarding Firewall.
Server <---> Firewall <------> NAT Port 222
|
-----------> VPN
I can ssh per key into it from the VPN. Doing this on server:
sever:~> ssh-keygen -lf /etc/ssh/ssh_rsa_host_key
Shows the HOSTKEY
I try to ssh into it from the outside:
ssh server.external
Results in "REMOTE HOST IDENTIFICATION HAS CHANGED"
The fingerprint for the RSA key sent by the remote host is
HOSTKEY.EXTERN
The fingerprints HOSTKEY and HOSTKEY.EXTERN are different.
If I ssh into it via the VPN and its internal IP all is fine.
2 Questionts:
- Why are HOSTKEY.EXTERN and HOSTKEY fingerprints different?
- How can I check the reported host key from the outside?
EDIT: Answer to Part 2 and more strange findings:
I now did 'ssh-keyscan server' internally and externally, two different keys are the result.
ssh-keyscan server.external > server.external.keyscan
ssh-keyscan server.internal > server.internal.keyscan
then I fingerprint those:
ssh-keygen -lf server.external.keyscan
ssh-keygen -lf server.internal.keyscan
Two different fingerprints. I do not get it.
SSH is picky in that the hostname must match for a given key in
known_hosts. Because you're accessing it from the outside, your SSH client is seeing the server coming from external.ip instead of its internal address.The best way I can think of to fix is to have two keypairs - one for external access, and one for internal. This way both will be in
known_hosts.