Ssh Disable Host Key Checking

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

  • ssh client configuration options: man ssh_config

Internal

Overview

The ssh client verifies the identity of the host it connects to, by checking its host key. If the remote host is not known to your system - meaning that its host key is not present in ~/.ssh/known_hosts, the ssh client interactively asks you to accept the host key's to be written into the file: 

The authenticity of host '[192.168.1.8]:22 ([192.168.1.8]:22)' can't be established.
ECDSA key fingerprint is 83:59:aa:33:10:98:48:f9:12:96:c4:e3:c2:75:50:b6.
Are you sure you want to continue connecting (yes/no)? yes

When run interactively this is usually not a problem, but the behavior could cause problems when ssh is run from a script, so there are situations when we want to inhibit this behavior, by disabling key checking.

Bypass the Interactive Challenge

You can instruct the ssh client to skip the "Are you sure ..." interactive phase and write the key into ~/.ssh/known_hosts without asking. This can be done in the ssh command line or in the configuration file.

Command Line Option

Use StrictHostKeyChecking=no as follows: 

ssh -o StrictHostKeyChecking=no ...

Various documents recommend to pass the option as follows: -o "StrictHostKeyChecking=no" (note the double quotes). That has caused troubles on occasion, so it's best if you don't.

Configuration File Option

Set the following in ~/.ssh/config for the current user or in /etc/ssh/ssh_config for all users: 

...
Host *
    StrictHostKeyChecking no
...

You can disable the challenge for a set of hosts only: 

...
Host 192.168.1.*
    StrictHostKeyChecking no
...

What if the remote host identity changed?

This method works if the remote host is the first seen on your system, or its host key has not changed. However, if the host key has changed, ssh will issue a warning even if the interactive challenge is turned off: 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
*****
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:10
RSA host key for ***** has changed and you have requested strict checking.
Host key verification failed.

Bypass the Remote Host Key Verification Altogether

If you want to bypass the remote host key verification altogether (this implies you really trust the remote host, which implies in turn that you really know what you're doing), you can sent to remote host key to /dev/null instead of ~/.ssh/known_hosts. This also can be done in command line or configuration file.

Command Line Option

Add UserKnownHostsFile=/dev/null as follows: 

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ...

Various documents recommend to pass the option as follows: -o "UserKnownHostsFile=/dev/null" (note the double quotes). That has caused troubles on occasion, so it's best if you don't.

Configuration File Option

Set the following in ~/.ssh/config for the current user or in /etc/ssh/ssh_config for all users: 

...
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
...

You can disable the challenge for a set of hosts only: 

...
Host 192.168.1.*
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
...
Retrieved from "https://kb.novaordis.com/index.php?title=Ssh_Disable_Host_Key_Checking&oldid=25566"