0

I have a Server behind a Port-forwarding Firewall.

Server <---> Firewall <------> NAT Port 222
                 |
                  -----------> VPN

I can ssh per key into it from the VPN. Doing this on server:

sever:~> ssh-keygen -lf /etc/ssh/ssh_rsa_host_key

Shows the HOSTKEY

I try to ssh into it from the outside:

ssh server.external

Results in "REMOTE HOST IDENTIFICATION HAS CHANGED"

 The fingerprint for the RSA key sent by the remote host is
 HOSTKEY.EXTERN

The fingerprints HOSTKEY and HOSTKEY.EXTERN are different.

If I ssh into it via the VPN and its internal IP all is fine.

2 Questionts:

  1. Why are HOSTKEY.EXTERN and HOSTKEY fingerprints different?
  2. How can I check the reported host key from the outside?

EDIT: Answer to Part 2 and more strange findings:

I now did 'ssh-keyscan server' internally and externally, two different keys are the result.

ssh-keyscan server.external > server.external.keyscan
ssh-keyscan server.internal > server.internal.keyscan

then I fingerprint those:

ssh-keygen -lf server.external.keyscan
ssh-keygen -lf server.internal.keyscan

Two different fingerprints. I do not get it.

AndreasT
  • 837
  • 2
  • 10
  • 16

1 Answers1

0

SSH is picky in that the hostname must match for a given key in known_hosts. Because you're accessing it from the outside, your SSH client is seeing the server coming from external.ip instead of its internal address.

The best way I can think of to fix is to have two keypairs - one for external access, and one for internal. This way both will be in known_hosts.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
  • I know why ssh is complaining, I do not know why these keys are different. – AndreasT Apr 29 '14 at 14:57
  • They aren't. It's complaining because SSH sees a different hostname than what it's *supposed* to be, which can signify a MITM attack even when it's not. – Nathan C Apr 29 '14 at 14:58
  • They are different. Or does the key fingerprint include the Hostname? Even the raw keys (the part after ssh-rsa) is different... – AndreasT Apr 29 '14 at 15:04
  • If the actual key is different that may be a sign you are seeing a MITM somewhere. Are you using different clients from inside vs outside? You might be getting the ecdsa key in one location and the rsa key in another? You could have a new client in one of those locations? – Zoredache Apr 29 '14 at 16:42
  • BTW, you might consider setting two config in your ssh config file `~/.ssh/config`. One for the external, and one for the internal. Within both entries specify a `HostKeyAlias`. – Zoredache Apr 29 '14 at 16:43