On Fri, 27 Aug 2010, Rahul Nabar wrote:
Whenever I re-install a server ssh issues a warning: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is f1:7c:70:31:8f:2a:da:eb:21:37:e9:1a:6c:3d:d4:7a. Please contact your system administrator. Add correct host key in /home/foo/.ssh/known_hosts to get rid of this message. Offending key in /home/foo/.ssh/known_hosts:218 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. But these are local compute-nodes in a cluster so that warning is quite superfluous. In order to suppress this ssh warning I trick ssh by this hack: cat ~foo/.ssh/config host local_server_name* StrictHostKeyChecking no UserKnownHostsFile=/dev/null But I still get ssh going through the unnecessary step where it still adds to the non-exisitant known_hosts file. Warning: Permanently added 'eu003,10.0.0.3' (RSA) to the list of known hosts. Warning: Permanently added 'eu004,10.0.0.4' (RSA) to the list of known hosts. [snip] This does add an overhead at startup of jobs that ssh to multiple servers. Is there a better way out to completely suppress remote host identification checks?
Yes. Once you've built a server, zip up the files /etc/ssh/ssh_host_* and copy them off to your build server with the name of the server as the zip's file name. When you rebuild, make part of the post install process copying the zip back and unzipping it in the freshly created /etc/ssh/. That way that server will always have the same host keys.
Ben -- Unix Support, MISD, University of Cambridge, England Plugger of wire, typer of keyboard, imparter of Clue Life Is Short. It's All Good. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list