[Gllug] Persuading ssh to be less fussy for one nominated target host
Mike Brodbelt
mike at coruscant.demon.co.uk
Sun Jul 8 23:00:12 UTC 2007
Richard Jones wrote:
> There is another situation where ssh's host key checking gives false
> alarms: when you've got machines which get randomly assigned IP
> addresses (eg. from a dump DHCP server). I wish I knew a way to make
> ssh handle this more intelligently.
You should in theory be able to make it work better in the general case
- though whether this method will help your specific circumstance isn't
certain....
You can set up your DHCP server to update the DNS with the appropriate
SSHFP records when the lease is assigned. That way, when the client gets
its lease, that client's fingerprint will be retrievable from the DNS,
and will be trusted by OpenSSH if you've set VerifyHostKeyDNS on in the
config file. Caveat - I've not actually set this up, but I can't see any
reason why it shouldn't work as advertised...
Of course the other place where ssh host ket checking falls down is
where you have multiple hosts behind a DNAT setup, so you use different
ports on the same externally facing IP address to reach different hosts.
You can get around this be specifying different UserKnownHostsFile
entries for each connection, but it's a bit of a pain.
Mike
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list