如何使用相同(但更改)IP地址上的2个不同主机处理ssh主机密钥验证? [英] How to handle ssh host key verification with 2 different hosts on the same (but changing) IP address?

问题描述

我在nat防火墙后面有2台SSH服务器，该服务器每天都会更改其WAN IP.在给定的时间，它们始终在相同的WAN IP地址上，但在不同的端口上.

I have 2 ssh servers behind a nat firewall at a location that changes its wan IP every day. They are always at the same wan IP address on a given time but on different ports.

我以这种方式连接到服务器A:

I am connecting to server A this way:

ssh -p 22001 karl@x1.example.com

并发送到服务器B:

ssh -p 22002 karl@x2.example.com

因此，对于相同的IP，甚至当同一主机的IP发生变化时，我都会获得2个不同的主机密钥.

So I get 2 different host keys for the same IP, and also when the IP changes even a different IP for the same host.

我必须继续删除known_hosts文件中的其他密钥或旧密钥(如果更改了IP).

I have to go on deleting over and over the other key or the old key (in case of IP change) in the known_hosts file.

我很想关闭密钥验证，因为这样做的安全性较低.但是，始终获得警告也是不安全的(因为那时我一直都忽略这样的警告).有更好的解决方案吗?

I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then). Is there a better solution?

这与我在这里的旧问题有关，但不相同:

This is related to my old question here but not the same:

服务器上的SSH登录警告消息具有2个DNS名称

推荐答案

我认为这会起作用:

在您的.ssh目录中创建一个config文件，如下所示:

Create a config file in your .ssh directory as follows:

Host server1
  Hostname x1.example.com
  HostKeyAlias server1
  CheckHostIP no
  Port 22001
  User karl

Host server2
  Hostname x2.example.com
  HostKeyAlias server2
  CheckHostIP no
  Port 22002
  User karl

下面的解释(来自man ssh_config)

CheckHostIP

如果此标志设置为 是"，ssh(1)将另外检查 已知主机中的主机IP地址 文件.这使ssh可以检测是否 由于DNS欺骗，主机密钥已更改. 如果该选项设置为否"，则 不会执行检查.这 默认值为是".

If this flag is set to "yes", ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to "no", the check will not be executed. The default is "yes".

HostKeyAlias

指定应使用的别名，而不是真实的 查找或将主机密钥保存在主机密钥中时的主机名 数据库文件.此选项对建立SSH隧道很有用 连接或单个主机上运行的多个服务器.

Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host.

Username和Port行避免了您也必须在命令行中提供这些选项，因此您可以使用:

The Username and Port line avoids you having to give those options on the command line, too, so you can just use:

% ssh server1
% ssh server2

这篇关于如何使用相同(但更改)IP地址上的2个不同主机处理ssh主机密钥验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！