How to Configure SSH to Match Known Hosts by Both Host/IP and Port for Multiple Port Forwarding


4 views

When working with multiple SSH ports on the same host (common in port forwarding scenarios), older SSH versions (like those in CentOS 5.4) don't properly distinguish between different ports in the known_hosts file. Here's the technical breakdown:

# Problem scenario:
ssh host.example.com -p 2201  # Gets added to known_hosts
ssh host.example.com -p 2202  # Fails due to existing entry

The traditional known_hosts format stores entries like this:

host.example.com,192.168.1.100 ssh-rsa AAAAB3Nz...==

Modern implementations support port-specific entries by default:

[host.example.com]:2201,[192.168.1.100]:2201 ssh-rsa AAAAB3Nz...==
[host.example.com]:2202,[192.168.1.100]:2202 ssh-rsa AAAAB3Nz...==

For systems where SSH doesn't natively handle port-specific host keys, we have several approaches:

# Method 1: Update OpenSSH (recommended)
yum update openssh

# Method 2: Manual known_hosts management
ssh-keyscan -p 2201 host.example.com >> ~/.ssh/known_hosts
ssh-keyscan -p 2202 host.example.com >> ~/.ssh/known_hosts

For environments where you can't upgrade SSH, configure ~/.ssh/config:

Host host-2201
    HostName host.example.com
    Port 2201
    UserKnownHostsFile ~/.ssh/known_hosts.2201

Host host-2202
    HostName host.example.com
    Port 2202
    UserKnownHostsFile ~/.ssh/known_hosts.2202

After making changes, verify the behavior:

ssh -o StrictHostKeyChecking=no -p 2201 host.example.com true
ssh -o StrictHostKeyChecking=no -p 2202 host.example.com true

When working with multiple ports:

  • Always verify host keys manually when first connecting
  • Consider using SSH certificates instead of host keys
  • Maintain separate known_hosts files for different environments

When working with multiple SSH servers behind a firewall using port forwarding, you might encounter this scenario:

ssh host -p 2201
# Accept fingerprint, gets added to known_hosts
ssh host -p 2202
# Fails because same IP exists in known_hosts

This happens because older SSH versions (like CentOS 5.4's default) only match against host/IP without considering the port number.

The traditional known_hosts entry looks like:

hostname,ip ssh-rsa AAAAB3Nz...==

What we need is port-specific matching:

[hostname]:port,[ip]:port ssh-rsa AAAAB3Nz...==

For newer SSH clients (OpenSSH 7.0+), this works automatically. For older versions, we need workarounds:

Option 1: Upgrade Your SSH Client

# For CentOS/RHEL:
sudo yum update openssh-clients

Option 2: Manual Known_Hosts Management

Edit your known_hosts file to include port numbers:

# For host:2201
[host]:2201,[ip]:2201 ssh-rsa AAAAB3Nz...==
# For host:2202
[host]:2202,[ip]:2202 ssh-rsa AAAAB3Nz...==

Option 3: Use Separate SSH Configs

Create different configurations in ~/.ssh/config:

Host host-2201
    HostName host
    Port 2201
    UserKnownHostsFile ~/.ssh/known_hosts_2201

Host host-2202
    HostName host
    Port 2202
    UserKnownHostsFile ~/.ssh/known_hosts_2202

After implementation, test with:

ssh -v host -p 2201
ssh -v host -p 2202

Check the debug output (-v) to confirm SSH is using the correct host key for each port.

If you control the SSH servers, consider using different hostnames:

ssh host-2201 -p 2201
ssh host-2202 -p 2202

This creates naturally distinct entries in known_hosts.