[PLUG] remote ssh and nat
Elliott Mitchell
ehem at m5p.com
Mon Mar 13 08:31:53 UTC 2006
>From: Elliott Mitchell <ehem at m5p.com>
> >From: Paul Heinlein <heinlein at madboa.com>
> > On Sat, 11 Mar 2006, Carla Schroder wrote:
> > > I don't want to be continually replacing host keys, or disabling
> > > StrictHostKeyChecking. What other options are there? (besides
> > > putting everything on routable IPs)
> >
> > I think there are two possible solutions using nothing more than ssh
> > configuration settings. In ~/.ssh/config you can set CheckHostIP to no
> > or set HostKeyAlias to 192.168.1.12 (or its hostname).
>
> The latter may not be as evil as the former, but it is still fairly evil.
...thus showing that one has to read every word sometimes. I ment setting
StrictHostKeyChecking to anything other than the default "ask" or "yes"
is *really* evil (people have been MitM'd for less), while setting
CheckhostIP is merely evil. OTOH setting HostKeyAlias is exactly what is
needed here, and isn't evil at all.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | EHeM at gremlin.m5p.com PGP 8881EF59 | ) /
\_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
More information about the PLUG
mailing list