By Alan Franzoni in Mostly Unixish — Aug 26, 2012

ssh client: stopping key verification complaints inside your own private network

If you develop enough software, most probably you'll have a test/development network at your service.

In such networks, which are usually handled through a virtualization infrastructure, machines come and go very quickly.
But ssh clients are usually unhappy about that:

alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
The authenticity of host '192.168.0.208 (192.168.0.208)' can't be established.
RSA key fingerprint is 31:4d:8b:97:c8:57:04:85:6a:1b:72:54:46:ab:04:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.208' (RSA) to the list of known hosts.
root@192.168.0.208's password:

The first time you connect, you're asked if the fingerprint is correct. The second time you'll just be allowed to connect:

alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
root@192.168.0.208's password:

What then if the machine at such ip address changes, because it's rebuilt or modified and the ssh host key is not retained?

alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
7b:42:03:5f:5c:8d:5a:2b:6a:a4:1e:d6:0d:05:de:38.
Please contact your system administrator.
Add correct host key in /Users/alan/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/alan/.ssh/known_hosts:111
  remove with: ssh-keygen -f "/Users/alan/.ssh/known_hosts" -R 192.168.0.208
RSA host key for 192.168.0.208 has changed and you have requested strict checking.
Host key verification failed.

From the point of view of openssh this may be a serious security breach, and you should fear such message if it happens in the wild if you haven't touched a server -
a MitM attack is probably going on!

What about your local network? ssh-keygen -R 192.168.0.208 will solve that, but you probably didn't need host key authentication since the beginning.

So, just add this:

Host 192.168.0.*
    CheckHostIP no
    UserKnownHostsFile /dev/null
    StrictHostKeyChecking no

at the beginning of your /etc/ssh/ssh_config file, and feel good.

Now, anytime you try connecting inside your network you'll be greeted by this:

alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
Warning: Permanently added '192.168.0.208' (RSA) to the list of known hosts.
root@192.168.0.208's password:

No confirmations whatsoever.