How to handle ssh host key verification with 2 different hosts on the same (but changing) IP address? [closed]

Question

I have 2 ssh servers behind a nat firewall at a location that changes its wan IP every day. They are always at the same wan IP address on a given time but on different ports.

I am connecting to server A this way:

ssh -p 22001 [email protected] 

and to server B:

ssh -p 22002 [email protected] 

So I get 2 different host keys for the same IP, and also when the IP changes even a different IP for the same host.

I have to go on deleting over and over the other key or the old key (in case of IP change) in the known_hosts file.

I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then). Is there a better solution?

This is related to my old question here but not the same:

SSH login warning message on a server with 2 DNS names

Answer 1

I think this will work:

Create a config file in your .ssh directory as follows:

Host server1   Hostname x1.example.com   HostKeyAlias server1   CheckHostIP no   Port 22001   User karl  Host server2   Hostname x2.example.com   HostKeyAlias server2   CheckHostIP no   Port 22002   User karl 

Explanation Below (from man ssh_config)

CheckHostIP

If this flag is set to "yes", ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to "no", the check will not be executed. The default is "yes".

HostKeyAlias

Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host.

The Username and Port line avoids you having to give those options on the command line, too, so you can just use:

% ssh server1 % ssh server2