Re: SSH Authenticity Messages... Disable/

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



----- "Filipe Brandenburger" <filbranden@xxxxxxxxx> wrote:
> Hi,
> 
> On Mon, Jun 29, 2009 at 11:57, Tim Nelson<tnelson@xxxxxxxxxxxxx>
> wrote:
> > I connect to a very large number of new machines with a handful of
> my CentOS boxen. Whenever I connect to a new host, I *REALLY* would
> like to *NOT* see the error message such as this:
> > The authenticity of host 'w.x.y.z (w.x.y.z)' can't be established.
> > RSA key fingerprint is
> 62:7a:6c:e5:03:f5:47:be:23:a5:c5:e5:c3:60:9b:8d.
> > Are you sure you want to continue connecting (yes/no)? yes
> > Also, some of these systems are being setup with an automated login
> system via SSH keys which means I have to manually login to each of
> the boxes before the automated scripting will work just to clear the
> 'authenticity' error.
> > Is there a way to disable this error/authenticity check globally for
> a system? I understand it may not be the best practice in terms of
> security, but for an internal trusted host, I have no reservations
> making this change.
> 
> Yes,
> 
> You can do it for one session only (which is convenient for a script)
> like this:
> 
> $ ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
> ...
> 
> If you want to do that permanent, you can add the two last options to
> /etc/ssh/ssh_config, like this:
> 
>     UserKnownHostsFile /dev/null
>     StrictHostKeyChecking no
> 
> But I don't think you can get the same as the "-q" does, which
> suppresses the "Adding key to file..." text on the first login.
> 
> In any case, I don't think you should do it globally, but do it using
> the long command line on your script only.
> 
> I also create a bash alias "qssh" which calls ssh with those options,
> which is handy when I'm trying to connect to a machine that I know
> will get reinstalled many times (and thus have its private key
> changed) and I really don't want to store it in my
> ~/.ssh/known_hosts.
> 
> HTH,
> Filipe
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos


Thank you everyone for the helpful suggestions. I'm entirely unsure why I didn't come across these options during my 'man ssh' and obligatory Googling... Maybe it was because there were no pointing fingers or large blinking arrows to point the way. :-)

--Tim
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux