Scott Garman wrote: > I recently posted this on my blog, but figured that if there was anyone > I knew who could come up with a better solution, it would be someone on > this list... > > Scott > > ---- > > Secure shell (ssh) uses cryptographic keys to uniquely identify > (fingerprint) the hosts that you connect to. Once you connect to a new > host, the fingerprint string is added to a file called known_hosts in > your ~/.ssh directory. Then, every time you reconnect to that host, the > fingerprint is checked to ensure it hasn’t changed. > > This is an important security feature, because if the saved fingerprint > doesn’t match, it could be because someone is maliciously spoofing the > server you’re trying to connect to as part of a man-in-the-middle (MITM) > type attack. However, in this modern age, some of us have local networks > with numerous devices/laptops which change their IP address regularly > due to DHCP. When this happens and you ssh to a device now using the > same IP that a previous device used (and for which you have the host > fingerprint saved), you get a nastygram from ssh and it refuses to allow > you to connect to the device. Then you must clear the fingerprint from > your ~/.ssh/known_hosts file and reconnect. This gets old really quickly. > > So I spent some time today reviewing ssh configuration options to > disable this host key checking for my home network subnet. Upon first > glance, the StrictHostKeyChecking option seems like the one you’d want > to change, but in fact setting it to “no” still does not allow you to > ssh to a host when the saved fingerprint doesn’t match up. > > In resignation, I instead hacked up a different solution, and now tell > ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host > keys for my local subnet. If anyone knows a better solution to this, > please enlighten me. Here is my final ~/.ssh/config file: > > Host 192.168.1.* > StrictHostKeyChecking no > UserKnownHostsFile /dev/null > > Note that for hosts outside of my home subnet, the host key checking is > still enforced (as it should be). > You can pre-load the host keys in /etc/ssh/ssh_known_hosts. (Don't forget to prefix each line with the hostname/IP address; yes - you can use wildcards - see sshd(8)).
--Bruce _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
