I have a machine behind a firewall. I connect to it remotely using a VPN tunneling with a port forward through ssh. To connect to the machine I use the external IP of the VPN and my personal and temporary assigned port. The command I use is:
ssh USER@VPN_IP -p PORT
Since VPN_IP
and PORT
change frequently I cannot get advantages of saving the host key in known_host
to get rid of man man-in-the-middle attacks, but at the same time the host key is well known to me and I could provide it to ssh in order to use it for the current VPN_IP
and PORT
combination. Is that possible? How?
Best Answer
The
known_hosts
file is for providing these keys and there's no direct command line alternative (and it wouldn't be so handy, anyway). However, your goal is completely possible with theknown_hosts
file!Read through
man sshd
'sssh_known_hosts
file format.It is possible to use wildcards in
~/.ssh/known_hosts
(and/etc/ssh/ssh_known_hosts
):It is possible to make a key trusted for
a network range, if known, e.g. for
TEST-NET-2
:multiple ranges (e.g. all
TEST-NET
s) using comma-separated list:or even when connecting anywhere:
If this key is not present, it will still warn you about the authenticity of the other keys, show the fingerprint and add it automatically, if you answer
yes
. The comparison is done line by line.