ssh client: stopping key verification complaints inside your own private network
If you develop enough software, most probably you'll have a test/development network at your service.
In such networks, which are usually handled through a virtualization infrastructure, machines come and go very quickly.
But ssh clients are usually unhappy about that:
alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
The authenticity of host '192.168.0.208 (192.168.0.208)' can't be established.
RSA key fingerprint is 31:4d:8b:97:c8:57:04:85:6a:1b:72:54:46:ab:04:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.208' (RSA) to the list of known hosts.
root@192.168.0.208's password:
The first time you connect, you're asked if the fingerprint is correct. The second time you'll just be allowed to connect:
alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
root@192.168.0.208's password:
What then if the machine at such ip address changes, because it's rebuilt or modified and the ssh host key is not retained?
alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
7b:42:03:5f:5c:8d:5a:2b:6a:a4:1e:d6:0d:05:de:38.
Please contact your system administrator.
Add correct host key in /Users/alan/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/alan/.ssh/known_hosts:111
remove with: ssh-keygen -f "/Users/alan/.ssh/known_hosts" -R 192.168.0.208
RSA host key for 192.168.0.208 has changed and you have requested strict checking.
Host key verification failed.
From the point of view of openssh this may be a serious security breach, and you should fear such message if it happens in the wild if you haven't touched a server -
a MitM attack is probably going on!
What about your local network? ssh-keygen -R 192.168.0.208
will solve that, but you probably didn't need host key authentication since the beginning.
So, just add this:
Host 192.168.0.*
CheckHostIP no
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
at the beginning of your /etc/ssh/ssh_config
file, and feel good.
Now, anytime you try connecting inside your network you'll be greeted by this:
alan@melquiades:/etc/ssh$ ssh root@192.168.0.208
Warning: Permanently added '192.168.0.208' (RSA) to the list of known hosts.
root@192.168.0.208's password:
No confirmations whatsoever.