On Mon, 3 Apr 2006, J Cruit wrote:
> The problem with this is they all point back to the same IP address
> which means that to your NAT device they all look the same and it can
> only route that port 22 connection into one inside box. You could use
> different port numbers for each and just set your client to use those
> other ports, in fact if you change them all from 22 then you also stop
> getting those annoying brute force attempts. So change them so
> something like 2222, 2223, 2224 or whatever you feel like, its your network.
>
> Fun idea for some coding though, give SSH the ability to see the
> hostname that was connected to and route it to the appropriate box
> similar to the Apache method for hosting multiple web sites.
I think that'd require the SSH client to pass the hostname it was trying
to connect to in plaintext before SSL negotiation, as it hasn't yet
ascertained the destination machine's SSL keys.
Instead, I'd go with the oft-suggested (and your first suggestion)
"redirect an alternate port to each internal machine" suggestion, but with
an extra spin...so long as you control the ~/.ssh/config (or similar) on
the external client machine. Just add:
Host router.mydomain.net
Port 2222
CheckHostIP no
Host box1.mydomain.net
Port 2223
CheckHostIP no
Host box2.mydomain.net
Port 2224
CheckHostIP no
...etc.
Then when you ssh to box2.mydomain.net, it goes to port 2224
automagically, and (as I recall, based on the CheckHostIP option) doesn't
nag you about the key not matching the one known for the IP (which may be
the router or box1's).
No SSH software mangling required.
Of course, there are other methods available (i.e., VPN) if you have
fine-grained control over the remote client (your laptop, for instance),
but that's slightly more involved.
Jima