[rescue] SSH through firewall
Kurt Mosiejczuk
rescue at sunhelp.org
Wed Dec 12 12:16:09 CST 2001
On Wed, 12 Dec 2001, Scott Newell wrote:
> >I'm no expert, but wouldn't that weaken SSH? The host key is God.
> Would it? Instead of always assuming that host secure.net has key #1,
> you'd still check to be sure that:
> host secure.net on port 22 has key #1
> host secure.net on port 1022 has key #2
> host secure.net on port 2022 has key #3
> host secure.net on port 3022 has key #4
> Multiple keys per hosts, but each key is associated with that host _and_
> port number. Or does these scheme leave a big hole for a man in the middle
> attack?
Wouldn't coupling this weaken the ability of SSH to work out through
NAT (technically NPAT). The port changes through NAT/Masquerading, and
that might cause other problems. I appreciate the fact that SSH works
through a firewall, protocols that don't work through NAT can be a real
pain.
Now, granted, I'm not positive that SSH uses the host keys on the client
end that way....
--Kurt
More information about the rescue
mailing list