Friday, July 22, 2011

Disabling ssh host key checking

Note: this post describes how to disable a security feature. Unless you know why you're doing this, better don't do it.

The testboxes I have need to boot a variety of different operating systems and OS versions, usally from USB disks. Each OS has different ssh host keys, so all-too-frequently I got this error when trying to ssh in:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

Deleting the old key from $HOME/.ssh/known_hosts and re-trying fixes the issue - until the next reboot into a different system.

Now, while I'm sure there's a way to share host keys between installs some of those systems are very short-lived only. So I needed something for my main box (where I ssh from).

A while ago I found the magic recipe. Pop this into your $HOME/.ssh/config:

UserKnownHostsFile /dev/null
StrictHostKeyChecking no

And what that does is nicely explained in ssh_config(5):

Specifies a file to use for the user host key database instead of ~/.ssh/known_hosts.

If this flag is set to “no”, ssh will automatically add new
host keys to the user known hosts files. If this flag is set
to “ask”, new host keys will be added to the user known host
files only after the user has confirmed that is what they
really want to do, and ssh will refuse to connect to hosts
whose host key has changed. The host keys of known hosts will
be verified automatically in all cases. The argument must be
“yes”, “no”, or “ask”. The default is “ask”.

The combination of /dev/null and "no" to key checks means that ssh will automatically add new hosts. But the host key will be saved in /dev/null, so next time it's like ssh connects to a new unknown host.

Problem solved, though in your own interest you should keep the Host definition as narrow as possible. Host key checking exists for a reason.


Linulin said...

Thanks for UserKnownHostsFile trick which I'm adding to my nssh alias:

alias nssh='ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

Alias is more convenient when target IPs change frequently as well.

Anonymous said...

if Avahi is installed, and each testbox has a different hostname, you can connect to hostname.local.

You'll get a warning when it checks the IP address, but it will still connect.

Nico said...

I've two aliases for this:

alias scp_nocheck='scp -o '\''StrictHostKeyChecking no'\'' -o '\''CheckHostIP no'\'' -o '\''HashKnownHosts no'\'' -o '\''UserKnownHostsFile /dev/null'\'''
alias ssh_nocheck='ssh -o '\''StrictHostKeyChecking no'\'' -o '\''CheckHostIP no'\'' -o '\''HashKnownHosts no'\'' -o '\''UserKnownHostsFile /dev/null'\'''