Ssh Disable Host Key Checking: Difference between revisions
No edit summary |
|||
(16 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=External= | |||
* ssh client configuration options: <tt>man ssh_config</tt> | |||
=Internal= | =Internal= | ||
* [[ | * [[OpenSSH Operations#Client_Operations|OpenSSH Client Operations]] | ||
=Overview= | =Overview= | ||
Line 15: | Line 18: | ||
When run interactively this is usually not a problem, but the behavior could cause problems when ssh is run from a script, so there are situations when we want to inhibit this behavior, by disabling key checking. | When run interactively this is usually not a problem, but the behavior could cause problems when ssh is run from a script, so there are situations when we want to inhibit this behavior, by disabling key checking. | ||
=Bypass the Interactive Challenge= | |||
You can instruct the ssh client to skip the "Are you sure ..." interactive phase and write the key into <tt>~/.ssh/known_hosts</tt> without asking. This can be done in the ssh command line or in the configuration file. | |||
==Command Line Option== | |||
Use <tt>StrictHostKeyChecking=no</tt> as follows: | |||
<pre> | |||
ssh -o StrictHostKeyChecking=no ... | |||
</pre> | |||
<blockquote style="background-color: Gold; border: solid thin Goldenrod;"> | |||
:<br>Various documents recommend to pass the option as follows: <tt>-o "StrictHostKeyChecking=no"</tt> (note the double quotes). That has caused troubles on occasion, so it's best if you don't.<br><br> | |||
</blockquote> | |||
==Configuration File Option== | |||
Set the following in <tt>~/.ssh/config</tt> for the current user or in <tt>/etc/ssh/ssh_config</tt> for all users: | |||
<pre> | |||
... | |||
Host * | |||
StrictHostKeyChecking no | |||
... | |||
</pre> | |||
You can disable the challenge for a set of hosts only: | |||
<pre> | |||
... | |||
Host 192.168.1.* | |||
StrictHostKeyChecking no | |||
... | |||
</pre> | |||
==What if the remote host identity changed?== | |||
This method works if the remote host is the first seen on your system, or its host key has not changed. However, if the host key has changed, ssh will issue a warning even if the interactive challenge is turned off: | |||
<pre> | |||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | |||
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ | |||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | |||
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! | |||
Someone could be eavesdropping on you right now (man-in-the-middle attack)! | |||
It is also possible that the RSA host key has just been changed. | |||
The fingerprint for the RSA key sent by the remote host is | |||
***** | |||
Please contact your system administrator. | |||
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. | |||
Offending key in /home/user/.ssh/known_hosts:10 | |||
RSA host key for ***** has changed and you have requested strict checking. | |||
Host key verification failed. | |||
</pre> | |||
=Bypass the Remote Host Key Verification Altogether= | |||
If you want to bypass the remote host key verification altogether (this implies you ''really'' trust the remote host, which implies in turn that you really know what you're doing), you can sent to remote host key to <tt>/dev/null</tt> instead of <tt>~/.ssh/known_hosts</tt>. This also can be done in command line or configuration file. | |||
==Command Line Option== | |||
Add <tt>UserKnownHostsFile=/dev/null</tt> as follows: | |||
<pre> | |||
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ... | |||
</pre> | |||
<blockquote style="background-color: Gold; border: solid thin Goldenrod;"> | |||
:<br>Various documents recommend to pass the option as follows: <tt>-o "UserKnownHostsFile=/dev/null"</tt> (note the double quotes). That has caused troubles on occasion, so it's best if you don't.<br><br> | |||
</blockquote> | |||
==Configuration File Option== | |||
Set the following in <tt>~/.ssh/config</tt> for the current user or in <tt>/etc/ssh/ssh_config</tt> for all users: | |||
<pre> | |||
... | |||
Host * | |||
StrictHostKeyChecking no | |||
UserKnownHostsFile=/dev/null | |||
... | |||
</pre> | |||
You can disable the challenge for a set of hosts only: | |||
<pre> | |||
... | |||
Host 192.168.1.* | |||
StrictHostKeyChecking no | |||
UserKnownHostsFile=/dev/null | |||
... | |||
</pre> |
Latest revision as of 20:42, 2 July 2017
External
- ssh client configuration options: man ssh_config
Internal
Overview
The ssh client verifies the identity of the host it connects to, by checking its host key. If the remote host is not known to your system - meaning that its host key is not present in ~/.ssh/known_hosts, the ssh client interactively asks you to accept the host key's to be written into the file:
The authenticity of host '[192.168.1.8]:22 ([192.168.1.8]:22)' can't be established. ECDSA key fingerprint is 83:59:aa:33:10:98:48:f9:12:96:c4:e3:c2:75:50:b6. Are you sure you want to continue connecting (yes/no)? yes
When run interactively this is usually not a problem, but the behavior could cause problems when ssh is run from a script, so there are situations when we want to inhibit this behavior, by disabling key checking.
Bypass the Interactive Challenge
You can instruct the ssh client to skip the "Are you sure ..." interactive phase and write the key into ~/.ssh/known_hosts without asking. This can be done in the ssh command line or in the configuration file.
Command Line Option
Use StrictHostKeyChecking=no as follows:
ssh -o StrictHostKeyChecking=no ...
Various documents recommend to pass the option as follows: -o "StrictHostKeyChecking=no" (note the double quotes). That has caused troubles on occasion, so it's best if you don't.
Configuration File Option
Set the following in ~/.ssh/config for the current user or in /etc/ssh/ssh_config for all users:
... Host * StrictHostKeyChecking no ...
You can disable the challenge for a set of hosts only:
... Host 192.168.1.* StrictHostKeyChecking no ...
What if the remote host identity changed?
This method works if the remote host is the first seen on your system, or its host key has not changed. However, if the host key has changed, ssh will issue a warning even if the interactive challenge is turned off:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is ***** Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending key in /home/user/.ssh/known_hosts:10 RSA host key for ***** has changed and you have requested strict checking. Host key verification failed.
Bypass the Remote Host Key Verification Altogether
If you want to bypass the remote host key verification altogether (this implies you really trust the remote host, which implies in turn that you really know what you're doing), you can sent to remote host key to /dev/null instead of ~/.ssh/known_hosts. This also can be done in command line or configuration file.
Command Line Option
Add UserKnownHostsFile=/dev/null as follows:
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ...
Various documents recommend to pass the option as follows: -o "UserKnownHostsFile=/dev/null" (note the double quotes). That has caused troubles on occasion, so it's best if you don't.
Configuration File Option
Set the following in ~/.ssh/config for the current user or in /etc/ssh/ssh_config for all users:
... Host * StrictHostKeyChecking no UserKnownHostsFile=/dev/null ...
You can disable the challenge for a set of hosts only:
... Host 192.168.1.* StrictHostKeyChecking no UserKnownHostsFile=/dev/null ...