Thanks for your response.
Brian Torbich btorbich-at-voicemarketing.net |Lists| wrote:
Maybe you are misunderstanding how this works and what it is supposed
to do....
Perhaps. And perhaps you are misunderstanding my question.
If you do allow it to save to a real known_hosts file it should no
longer ask you or warn you about "man in the middle" attacks because
you do have "StrictHostKeyChecking=no". As that is the whole purpose
of that is to warn you when a host has changed and there is a
possible "man in the middle" attack.
I do not know of a way to avoid that initial adding to the
"known_hosts" file. But if you allow it to save to a regular
known_hosts file, you should only have to hit (y) 1 time to add that
initial known_hosts signature and that is it. So, even if the host
changes, it won't matter. It shouldn't prompt you again to add it
again or warn you that it has changed since you have
"StrictHostKeyChecking=no".
For the fun of it, I edited my regular ~/.ssh/known_hosts file, and
assigned a wrong fingerprint to a host.
Running with "StrictHostKeyChecking=no" only gets me 24 lines of warning
output containing
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
and especially:
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid
man-in-the-middle attacks.
Agent forwarding is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
So it *does* actually log in, but uhm, the output is much worse than the
one warning I now get, and this is not what I want. I would like to
gracefully disable key checking entirely so I get zero lines of warnings.
Peter
--
Peter Valdemar Mørch
http://www.morch.com
