开发者

SSH on Linux: Disabling host key checking for hosts on local subnet (known_hosts)

开发者 https://www.devze.com 2022-12-10 03:08 出处:网络
I work on a network where the systems at an IP address will change frequently.They are moved on and off the workbench and DHCP determines the IP they get.

I work on a network where the systems at an IP address will change frequently. They are moved on and off the workbench and DHCP determines the IP they get.

It doesn't seem straightforward how to disable host key caching/checking so that I don't have to edit ~/.ssh/known_hosts every time I need to connect to a system.

I don't care about the host authenticity, they are all on the 10.x.x.x network segment and I'm relatively certain that nobody is MITM'ing me.

Is there a "proper" way to do this? I don't care if it warns me, but halting and causing me to flush my known_hosts entry for that IP e开发者_C百科very time is annoying and in this scenario it does not really provide any security because I rarely connect to the systems more than once or twice and then the IP is given to another system.

I looked in the ssh_config file and saw that I can set up groups so that the security of connecting to external machines could be preserved and I could just ignore checking for local addresses. This would be optimal.

From searching I have found some very strong opinions on the matter, ranging from "Don't mess with it, it is for security, just deal with it" to "This is the stupidest thing I have ever had to deal with, I just want to turn it off" ... I'm somewhere in the middle. I just want to be able to do my job without having to purge an address from the file every few minutes.

Thanks.


This is the configuration I use for our ever-changing EC2 hosts:

maxim@maxim-desktop:~$ cat ~/.ssh/config 
Host *amazonaws.com
        IdentityFile ~/.ssh/keypair1-openssh
        IdentityFile ~/.ssh/keypair2-openssh
        User ubuntu
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

This disables host confirmation StrictHostKeyChecking no and also uses a nice hack to prevent ssh from saving the host identify to a persistent file UserKnownHostsFile /dev/null note that as an added value I've added the default user with which to connect to the host and the option to try several different identify private keys.


Assuming you're using OpenSSH, I believe you can set the

CheckHostIP no

option to prevent host IPs from being checked in known_hosts. From the man page:

CheckHostIP

If this flag is set to 'yes', ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to 'no', the check will not be executed. The default is 'yes'.


This took me a while to find. The most common use-case I've seen is when you've got SSH tunnels to remote networks. All the solutions here produced warnings which broke my Nagios scripts.

The option I needed was:

NoHostAuthenticationForLocalhost yes

Which, as the name suggests also only applies to localhost.


  1. Edit your ~/.ssh/config

nano ~/.ssh/config (if there wasn't one already, don't worry, nano will create a new file)

  1. Add the following config:
Host 192.168.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null


If you want to disable this temporarily or without needing to change your SSH configuration files, you can use:

ssh -o UserKnownHostsFile=/dev/null username@hostname


Since every other answer explains how to disable the key checking, here are two ideas that preserve the key checking, but avoid the problem:

  1. Use hostnames. This is easy if you control the DHCP server and can assign proper names. After that you can just use the known hostnames, the changing ips don't matter.

  2. Use hostnames. Even if you don't control the DHCP server, you can use a service like avahi, which will broadcast the name of the server in our local network. It takes care of solving collisions and other issues.

  3. Use host key signing. After you built a machine, sign it with a local CA (you don't need a global trusted CA for that). After that, you don't need to trust each host separately on your machine. It's enough that you trust the signing CA in the known_hosts file. More information in the ssh-keygen man page or at many blog posts (https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu)

0

精彩评论

暂无评论...
验证码 换一张
取 消