Re: Alternative to -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ?



(answers assume OpenSSH, since that's what the options look like.)

Peter Valdemar Mørch (Lists) wrote:
Question
--------

I often know and accept that portX on serverY is not the same as it was 10 minutes ago. Therefore I don't want to use ~/.ssh/known_hosts. So
I use "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p portX serverY" but it is very lengthy to type and always yields this message:

Warning: Permanently added '<host>,<ip>' (RSA) to the list of known hosts

where 'list of known hosts' presumably is /dev/null.

Is there a better way to suppress using host keys? I wish there was a --no-hostkeys or similar option to do this.

If not, is there a way to avoid the above warning? It is misleading, and I prefer not to train myself to avoid warnings.

You could use LogLevel quiet.

(Yes, there are security problems when not using host keys. I know.)

I've tried to search the mailing list, but
http://marc.info/?l=secure-shell&w=2&r=1&s=stricthostkeychecking&q=b
shows some really weird results (try it!)

Further background
------------------

- We're on a LAN where our DHCP server is messed up. And corporate wisdom dictates that it isn't worth it to ensure that hosts get the same IP address at every reboot. We have to deal with it.

- We use port forwarding a lot, so port 2223 on serverX is forwarded to a particular host right now, but a different one in 10 minutes. That is reality for us.

For this one you can use "HostKeyAlias serverX" and "CheckHostIP no".

- Also, we often test fresh installations, where each test involves installation of the ssh package and hence the host keys differ from test to test.

This one is not so easy to handle automatically, since it's pretty much indistinguishable from a MITM attack.

You could use ssh-keygen -R [machine you just reinstalled] or the StrictHostKeyChecking / UserKnownHostsFile / LogLevel combination described above only for the install-test machines.

From a security standpoint an easy option to disable host keys when we
*know* they won't work is better than putting the StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null in ~/.ssh/config and then teaching the eye not to see the "Warning: Permanently added..." message, isn't it?

Peter

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



Relevant Pages

  • Re: Exiscan+clamav
    ... > # The next three settings create two lists of domains and one list of hosts. ... > # The second setting specifies domains for which your host is an incoming ... > # This router routes addresses that are not in local domains by doing a DNS ...
    (freebsd-questions)
  • Re: Faked From-Adress with my domain on them
    ... > everybody's local mail server is adding in the host part. ... In some lists, ... Given the wide variety of mail configurations out there, ... at all practical to make the popular Debian mailers difficult to ...
    (Debian-User)
  • Re: Publishing Nimda Logs
    ... scripts to portscan any host that sends a ".NET" browser string to check up ... if they connect to your webserver and perform such ... public lists of people who issue certain GET requests. ... > systems can be 0w3d after a publication of IP's of infected systems, ...
    (Vuln-Dev)
  • Re: SSH with a central host list?
    ... > Some people suggested that putty may do this - I could not see how. ... > The use of host keys, certificates etc is not what is required, all that ... Putty stores its server profiles in the registry. ... Please respond to "lists AT dawes DOT za DOT net" ...
    (SSH)
  • [Full-Disclosure] Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today)
    ... It is also my belief that Donnie Werner's ... For the benefit of the lists, ... Filtering Flaws in ExploitLabs.com CGI Script ... Donnie's script insecurely sanitizes the "host" URI parameter. ...
    (Full-Disclosure)