Avoiding ssh host key lookups for your home subdomain?
I recently posted this on my blog, but figured that if there was anyone I knew who could come up with a better solution, it would be someone on this list... Scott Secure shell (ssh) uses cryptographic keys to uniquely identify (fingerprint) the hosts that you connect to. Once you connect to a new host, the fingerprint string is added to a file called known_hosts in your ~/.ssh directory. Then, every time you reconnect to that host, the fingerprint is checked to ensure it hasn’t changed. This is an important security feature, because if the saved fingerprint doesn’t match, it could be because someone is maliciously spoofing the server you’re trying to connect to as part of a man-in-the-middle (MITM) type attack. However, in this modern age, some of us have local networks with numerous devices/laptops which change their IP address regularly due to DHCP. When this happens and you ssh to a device now using the same IP that a previous device used (and for which you have the host fingerprint saved), you get a nastygram from ssh and it refuses to allow you to connect to the device. Then you must clear the fingerprint from your ~/.ssh/known_hosts file and reconnect. This gets old really quickly. So I spent some time today reviewing ssh configuration options to disable this host key checking for my home network subnet. Upon first glance, the StrictHostKeyChecking option seems like the one you’d want to change, but in fact setting it to “no” still does not allow you to ssh to a host when the saved fingerprint doesn’t match up. In resignation, I instead hacked up a different solution, and now tell ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host keys for my local subnet. If anyone knows a better solution to this, please enlighten me. Here is my final ~/.ssh/config file: Host 192.168.1.* StrictHostKeyChecking no UserKnownHostsFile /dev/null Note that for hosts outside of my home subnet, the host key checking is still enforced (as it should be). ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Avoiding ssh host key lookups for your home subdomain?
On Wed, 2008-04-02 at 11:17 -0400, Scott Garman wrote: > I recently posted this on my blog, but figured that if there was anyone > I knew who could come up with a better solution, it would be someone on > this list... Why not just give known devices a static IP out of the dhcp pool? -- A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? >> A: Top-posting. >>> Q: What is the most annoying thing on Usenet and in e-mail? Cole Tuininga [EMAIL PROTECTED] http://www.code-energy.com/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Avoiding ssh host key lookups for your home subdomain?
Scott Garman wrote: > I recently posted this on my blog, but figured that if there was anyone > I knew who could come up with a better solution, it would be someone on > this list... > > Scott > > > > Secure shell (ssh) uses cryptographic keys to uniquely identify > (fingerprint) the hosts that you connect to. Once you connect to a new > host, the fingerprint string is added to a file called known_hosts in > your ~/.ssh directory. Then, every time you reconnect to that host, the > fingerprint is checked to ensure it hasn’t changed. > > This is an important security feature, because if the saved fingerprint > doesn’t match, it could be because someone is maliciously spoofing the > server you’re trying to connect to as part of a man-in-the-middle (MITM) > type attack. However, in this modern age, some of us have local networks > with numerous devices/laptops which change their IP address regularly > due to DHCP. When this happens and you ssh to a device now using the > same IP that a previous device used (and for which you have the host > fingerprint saved), you get a nastygram from ssh and it refuses to allow > you to connect to the device. Then you must clear the fingerprint from > your ~/.ssh/known_hosts file and reconnect. This gets old really quickly. > > So I spent some time today reviewing ssh configuration options to > disable this host key checking for my home network subnet. Upon first > glance, the StrictHostKeyChecking option seems like the one you’d want > to change, but in fact setting it to “no” still does not allow you to > ssh to a host when the saved fingerprint doesn’t match up. > > In resignation, I instead hacked up a different solution, and now tell > ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host > keys for my local subnet. If anyone knows a better solution to this, > please enlighten me. Here is my final ~/.ssh/config file: > > Host 192.168.1.* > StrictHostKeyChecking no > UserKnownHostsFile /dev/null > > Note that for hosts outside of my home subnet, the host key checking is > still enforced (as it should be). > You can pre-load the host keys in /etc/ssh/ssh_known_hosts. (Don't forget to prefix each line with the hostname/IP address; yes - you can use wildcards - see sshd(8)). --Bruce ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Avoiding ssh host key lookups for your home subdomain?
Bruce Dawson wrote: > You can pre-load the host keys in /etc/ssh/ssh_known_hosts. (Don't > forget to prefix each line with the hostname/IP address; yes - you can > use wildcards - see sshd(8)). Thanks for the reply, Bruce. Unfortunately my problem is that I want to avoid the host key lookups entirely. I'm doing embedded development and I routinely bring up new devices on my network with new ssh keys. Preloading keys would work for most home user environments, but not the one I'm working in. I should have mentioned that in my initial post. Regards, Scott ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Avoiding ssh host key lookups for your home subdomain?
Cole Tuininga wrote: > On Wed, 2008-04-02 at 11:17 -0400, Scott Garman wrote: >> I recently posted this on my blog, but figured that if there was anyone >> I knew who could come up with a better solution, it would be someone on >> this list... > > Why not just give known devices a static IP out of the dhcp pool? That's a good suggestion too. In my case, I'm frequently reinstalling the OS on the devices on my network, and new ssh keys get generated on each reinstall. This happens at least a couple of times per week. Regards, Scott ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Avoiding ssh host key lookups for your home subdomain?
Scott Garman <[EMAIL PROTECTED]> writes: > In resignation, I instead hacked up a different solution, and now tell > ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host > keys for my local subnet. If anyone knows a better solution to this, > please enlighten me. Here is my final ~/.ssh/config file: > > Host 192.168.1.* > StrictHostKeyChecking no This should still work. We use it all the time. The other thing you could do is to never change your host keys, when you re-install, re-install old, cached keys. We do this all the time too. With 400+ systems which get reinstalled on the order of 10-100 times a week, we maintain a universal /etc/ssh/ssh_known_hosts file with the ssh keys generated when a system is added to our lab network. That hostname then, forever, has those keys. We cache them in an NFS volume, gpg encrypted, and upon re-install, they're decrypted, and re-installed on the "new" system. We even have a 'fixssh' script which does all this for us, which I'd be happy to share as well. If you truly want to avoid host key lookup entirely, use Kerberos! Works like a charm. -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Avoiding ssh host key lookups for your home subdomain?
Scott, I had the same problem at the office with a multi-boot usb-connected drive that has various distros installed. Sometimes I boot linux on a laptop, but there are various other boxes that I also use it on, some with dynamically assigned addresses, others fixed. My solution was to clone the host keys across the various machines. Specifically, the following files: $ ls -la /etc/ssh/ssh_host_*_key* -rw--- 1 root root 1196 2007-10-12 11:40 /etc/ssh/ssh_host_dsa_key -rw-r--r-- 1 root root 1114 2007-10-12 11:40 /etc/ssh/ssh_host_dsa_key.pub -rw--- 1 root root 1675 2007-10-12 11:40 /etc/ssh/ssh_host_rsa_key -rw-r--r-- 1 root root 394 2007-10-12 11:40 /etc/ssh/ssh_host_rsa_key.pub So, the fingerprint will always match, no matter the name or address. Hope it helps. - Nigel ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
