SSH login warning message on a server with 2 DNS names

Question

I am doing ssh to server x1.example.com from a laptop sometimes from outside and sometimes from lan. From lan I just say

ssh karl@x1

and from wan:

ssh [email protected]

But from lan I get always a warning: remote host identification has changed.

I can delete the other key in the known_hosts file each time, but I was wondering if there is a better solution.

I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then)

Answer 1

In known_hosts file you can list several names and even IP's for one key, for example:

x1,x1wan.example.com,192.168.0.134,23.41.51.23 ssh-rsa AAAA/bunch/of/gibberish/looking/data/==

But it is not your problem here. If you have a warning that host identification has changed it really means that. It means that between a moment of your first connection to this host from lan and now, somebody regenerated a host key for this host, for example while reinstalling the OS. Or that you have a man-in-the-middle attack.

Confirm with your admin that a host was reinstalled and host key regenerated and then remove old key from your known_hosts file. Next time you connect you'll add a new, correct key to known_hosts file and this warning will go away.

Answer 2

I think it is actually one name, technically.

Assign a second host name (maybe via your hosts file) to access your server from the WAN: E.g.:

ssh [email protected]

I access a server via ssh with two different names (same IP) with no warnings. E.g.: name1.example.com and name2.example.com