Ssh Disable Host Key Checking: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 42: Line 42:
Host key verification failed.
Host key verification failed.
</pre>
</pre>
=Bypass the Remote Host Key Verification Altogether=


If you want to bypass the remote host key verification altogether (this implies you ''really'' trust the remote host, which implies in turn that you really know what you're doing), you can pass the remote host key to <tt>/dev/null</tt>, as follows:
If you want to bypass the remote host key verification altogether (this implies you ''really'' trust the remote host, which implies in turn that you really know what you're doing), you can pass the remote host key to <tt>/dev/null</tt>, as follows:

Revision as of 05:27, 11 January 2016

Internal

Overview

The ssh client verifies the identity of the host it connects to, by checking its host key. If the remote host is not known to your system - meaning that its host key is not present in ~/.ssh/known_hosts, the ssh client interactively asks you to accept the host key's to be written into the file:

The authenticity of host '[192.168.1.8]:22 ([192.168.1.8]:22)' can't be established.
ECDSA key fingerprint is 83:59:aa:33:10:98:48:f9:12:96:c4:e3:c2:75:50:b6.
Are you sure you want to continue connecting (yes/no)? yes

When run interactively this is usually not a problem, but the behavior could cause problems when ssh is run from a script, so there are situations when we want to inhibit this behavior, by disabling key checking.

Bypass the Interactive Challenge

You can instruct the ssh client to skip the "Are you sure ..." interactive phase and write the key into ~/.ssh/known_hosts without asking.

This is done as follows:

ssh -o "StrictHostKeyChecking=no" ...

This method works if the remote host is the first seen on your system, or its host key has not changed. However, if the host key has changed, ssh will issue a warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
*****
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:10
RSA host key for ***** has changed and you have requested strict checking.
Host key verification failed.

Bypass the Remote Host Key Verification Altogether

If you want to bypass the remote host key verification altogether (this implies you really trust the remote host, which implies in turn that you really know what you're doing), you can pass the remote host key to /dev/null, as follows:

ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" ...