ssh client: stopping key verification complaints inside your own private network

If you develop enough software, most probably you'll have a test/development network at your service.

In such networks, which are usually handled through a virtualization infrastructure, machines come and go very quickly.
But ssh clients are usually unhappy about that:

alan@melquiades:/etc/ssh$ ssh root@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 31:4d:8b:97:c8:57:04:85:6a:1b:72:54:46:ab:04:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
root@'s password: 

The first time you connect, you're asked if the fingerprint is correct. The second time you'll just be allowed to connect:

alan@melquiades:/etc/ssh$ ssh root@
root@'s password: 

What then if the machine at such ip address changes, because it's rebuilt or modified and the ssh host key is not retained?

alan@melquiades:/etc/ssh$ ssh root@
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /Users/alan/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/alan/.ssh/known_hosts:111
  remove with: ssh-keygen -f "/Users/alan/.ssh/known_hosts" -R
RSA host key for has changed and you have requested strict checking.
Host key verification failed.

From the point of view of openssh this may be a serious security breach, and you should fear such message if it happens in the wild if you haven't touched a server -
a MitM attack is probably going on!

What about your local network? ssh-keygen -R will solve that, but you probably didn't need host key authentication since the beginning.

So, just add this:

Host 192.168.0.*
    CheckHostIP no
    UserKnownHostsFile /dev/null
    StrictHostKeyChecking no

at the beginning of your /etc/ssh/ssh_config file, and feel good.

Now, anytime you try connecting inside your network you'll be greeted by this:

alan@melquiades:/etc/ssh$ ssh root@
Warning: Permanently added '' (RSA) to the list of known hosts.
root@'s password: 

No confirmations whatsoever.

Alan Franzoni

Read more posts by this author.

Trieste, Italy
comments powered by Disqus