On Fri, Mar 15, 2019 at 7:49 PM David Newall <openssh@xxxxxxxxxxxxxxx> wrote: > On 16/3/19 5:46 am, Jeremy Lin wrote: > > On Fri, Mar 15, 2019 at 2:37 AM David Newall <openssh@xxxxxxxxxxxxxxx> > wrote: > >> On 03/15/2019 12:49 AM, Jeremy Lin wrote: > >>> [...] connecting to hosts where the host key > >>> changes frequently. I realize this is a fairly niche use case [...] > >> Doesn't StrictHostKeyChecking=no do what is wanted? > > None of the StrictHostKeyChecking options currently allow you to use > > password auth if the host key has changed. The only way we can log > > into a reimaged device is to use the initial default username and > > password. > > I suspect you have left out some important details, because setting > StrictHostKeyChecking to off does allow use of password authentication. > In fact, you say that you can use the default username and password, > hence why I think you've left out important detail. > > I'm using Ubuntu and it's possible they added a patch that makes this > work, but, quick perusal of debian/patches shows nothing that suggests > such a change. > > $ ssh example.com > The authenticity of host 'example.com (203.0.113.80)' can't be > established. > ECDSA key fingerprint is > SHA256:62i5qiSlaACj1MmjPwpXNIZaPqyMwtBoWhSoK8Z8x8E. > Are you sure you want to continue connecting (yes/no)? ^C > $ ssh -oStrictHostKeyChecking=off example.com > Warning: Permanently added 'example.com,203.0.113.80' (ECDSA) to > the list of known hosts. > user@xxxxxxxxxxx's password: > Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-142-generic x86_64) > > * Documentation: https://help.ubuntu.com > * Management: https://landscape.canonical.com > * Support: https://ubuntu.com/advantage > > Last login: Thu Mar 14 23:38:13 2019 from 198.51.100.12 > user@xxxxxxxxxxx:~$ > > Are you wanting to use host-based authentication in the normal case, > falling back to password if the host's key has changed? > I mentioned "if the host key has changed". If you had answered "yes" in the first invocation, and proceeded to regenerate the host keypair on example.com, then the second invocation would not have allowed you to enter a password. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev