Hi everyone.
Owning Netgate S1100 and love it! I am currently using HAProxy to route outside SSH connections to my home network hosts via TLS (port 443) using SNI TLS extension.
Therefore, the SSH connection goes to `external.domain.com:443`, utilizing SNI field, that tells which internal host to route the SSH connection to. This way I can expose only one port 443 to the internet in order to connect to any of the internal backends (my home network hosts) via HTTPS or SSH without exposing each individual SSH ports for each host to the World.
All works fine except the fact that whenever I connect to a different internal host (specifying different SNI), I receive TOFU message from OpenSSH:
```sh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
...
↧
Configure SSHD to use HostCertificate in pfsense?
↧