Hi, I have a Linksys WRT54G router with 3 clients:
a FC3 laptop (wireless), a FC4 desktop (wireless), and a RH9 box
sitting next to the router and connected via Ethernet wire into the
router's built in switch.

When I SSH between the wireless laptop and desktop, the 'last login from'
message correctly displays the IP address of the connecting computer.
However when I SSH the wired RH9 box from my wireless computers, it always says that the last
login came from 192.168.2.1 (the router).

This causes a problem. I like to use ssh-keygen to generate public/private keys so I don't have to type passwords for SSH logins.
This would work if the computers were directly connected via crossover cable or something.
But because the computers are connecting through the router, I (this is my idea of a fix) have to
somehow generate a publickey for the router.

The router, by the way, is using alchemy firmware, so I can ssh into the router.
I tried generating a public key on the router, but that didn't work.

Any ideas of what I should do?

I guess the router makes some kind of masquerade... If you don't plan to remove it you can configure a tunnel to reach the server. Or just generate keys on the wireless machines and add an entry on the server to accept the keys, but use them for 192.168.2.1 address. You then need one pair of keys for one user on the wireless ones.

Are you sure the machines are configured correctly? It seems to me that no masquerade should be involved within the internal network. What does the 'route' command say for the machines involved?

How would I use tunneling in SSH or set up my router to masquerade?

Why don't you just generate keys and make them valid for the whole 192.168.2.0/24 network? This network could never appear in the real world side of things, so your ISP should be blocking packets (and any smart router will do the same).

Masquerading is just another word for routing. It's what routers do for a living. My PC is currently attached to a WRT54G and the route command says

% route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0

So any packet sent to an address 192.168.1.* should get there directly. If the address does not match this pattern the packet goes to the default address 192.168.1.254 (which is the WRT54G in this case). The router then passes it upstream to the ISP. Externally the packet appears to have come from the router. So the internal PC is hiding or 'masquerading' behind the router.

If you only have the default route then even internally it may look like all packets are coming from the router.

I only know how to use ssh-keygen to generate keypairs for a single computer, not a whole network. Could someone show me how to generate keys for my entire 192.168.2.0/255.255.255.0 network?