[Gllug] Persuading ssh to be less fussy for one nominated target host
Richard Jones
rich at annexia.org
Sun Jul 8 19:46:48 UTC 2007
On Sun, Jul 08, 2007 at 08:08:05PM +0100, Alain Williams wrote:
> On Sun, Jul 08, 2007 at 07:12:24PM +0100, John Winters wrote:
> > I've been fiddling with my ssh settings to try to get it be a bit less
> > paranoid when I connect to my test system. I'm continually
> > re-installing it and currently I have to edit ~/.ssh/known_hosts each
> > time and remove the previous entries for that box.
> >
> > I've tried putting
> >
> > StrictHostKeyChecking no
> >
> > in /etc/ssh/ssh_config (under the entry for that one particular host of
> > course) but ssh still won't let me connect until I edit the old entries
> > out of ~/.ssh/known_hosts
> >
> > Does anyone know of a way to tell ssh not to fuss so?
>
> Quite simply -- don't.
>
> Editing ~/.ssh/known_hosts is very little extra overhead on an install,
> if you disable this check: you lay yourself open to a man in the middle attack
> some time in the future.
But he's only doing it for a single host which he knows will be
reinstalled. There's nothing at all wrong with disabling the check
for a single host in this case.
There is another situation where ssh's host key checking gives false
alarms: when you've got machines which get randomly assigned IP
addresses (eg. from a dump DHCP server). I wish I knew a way to make
ssh handle this more intelligently. On my home network I have dozens
of machines which are constantly booted and rebooted, and consequently
get semi-random IP addresses from my stupid DSL router -- these
machines are actually Xen virtual machines in case you were wondering.
Perhaps moving to IPv6 is the solution, and would also give me an
excuse to bin the router.
Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list