Re: Handling SSH yes/no message

From: Richard E. Silverman (res_at_qoxp.net)
Date: 02/24/04 

Date: 23 Feb 2004 23:45:10 -0500

>>>>> "RP" == Ravi Parimi <parimi@none.nowhere.com> writes:

    RP> I have to rebuild a linux box with ssh very often(once in a few
    RP> days) and each time the box is rebuilt, new SSH keys are generated
    RP> on the server. Soon after the rebuild, the box wont let me ssh
    RP> into it unless I edit my ~/.ssh/known_hosts file and get rid of
    RP> the entry for the remote host.

    RP> I have tried using the StrictHostKeyChecking option, but without
    RP> any luck.

    RP> Both these commands:

    RP> ssh -o 'StrictHostKeyChecking no' 192.168.33.46 ssh -o
    RP> StrictHostKeyChecking=no 192.168.33.46

    RP> pop up the same error message about man-in-the-middle attack. Can
    RP> someone please tell me how to use this option?

The option is functioning as documented in ssh_config(5); it cannot be
used by itself to do what you want. OpenSSH will not connect to a host
without confirmation if the host key has changed; setting
StrictHostKeyChecking=no will cause it to connect and automatically add
the key only if there is no existing key for that host.

However, if you do this:

% ssh -o StrictHostKeyChecking=no -o HostKeyAlias=foo ...

... where "foo" is not currently associated with any host key, then
OpenSSH will connect (insecurely, risking MITM) and automatically add the
new host key under the name "foo"; you can then edit your known-host list
accordingly.

Better, of course, would be to tune your rebuild process to preserve the
host keys... 

-- 
  Richard Silverman
  res@qoxp.net

Relevant Pages