Re: Alternative to -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Maybe you are misunderstanding how this works and what it is supposed to do....

If you do allow it to save to a real known_hosts file it should no longer ask you or warn you about "man in the middle" attacks because you do have "StrictHostKeyChecking=no".  As that is the whole purpose of that is to warn you when a host has changed and there is a possible "man in the middle" attack.

I do not know of a way to avoid that initial adding to the "known_hosts" file.  But if you allow it to save to a regular known_hosts file, you should only have to hit (y) 1 time to add that initial known_hosts signature and that is it.  So, even if the host changes, it won't matter.  It shouldn't prompt you again to add it again or warn you that it has changed since you have "StrictHostKeyChecking=no".

Hope that helps...


Brian



----- Original Message -----
From: "\"Peter Valdemar Mørch (Lists)\"" <4ux6as402@xxxxxxxxxxxxxx>
To: secureshell@xxxxxxxxxxxxxxxxx
Sent: Tuesday, March 3, 2009 10:04:10 AM GMT -05:00 US/Canada Eastern
Subject: Alternative to -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ?

Question
--------

I often know and accept that portX on serverY is not the same as it was 
10 minutes ago. Therefore I don't want to use ~/.ssh/known_hosts. So
I use "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null 
-p portX serverY" but it is very lengthy to type and always yields this 
message:

Warning: Permanently added '<host>,<ip>' (RSA) to the list of known hosts

where 'list of known hosts' presumably is /dev/null.

Is there a better way to suppress using host keys? I wish there was a 
--no-hostkeys or similar option to do this.

If not, is there a way to avoid the above warning? It is misleading, and 
I prefer not to train myself to avoid warnings.

(Yes, there are security problems when not using host keys. I know.)

I've tried to search the mailing list, but
http://marc.info/?l=secure-shell&w=2&r=1&s=stricthostkeychecking&q=b
shows some really weird results (try it!)

Further background
------------------

- We're on a LAN where our DHCP server is messed up. And corporate 
wisdom dictates that it isn't worth it to ensure that hosts get the same 
IP address at every reboot. We have to deal with it.

- We use port forwarding a lot, so port 2223 on serverX is forwarded to 
a particular host right now, but a different one in 10 minutes. That is 
reality for us.

- Also, we often test fresh installations, where each test involves 
installation of the ssh package and hence the host keys differ from test 
to test.

 From a security standpoint an easy option to disable host keys when we
*know* they won't work is better than putting the 
StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null in 
~/.ssh/config and then teaching the eye not to see the "Warning: 
Permanently added..." message, isn't it?

Peter
-- 
Peter Valdemar Mørch
http://www.morch.com


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux