Avoiding ssh host key lookups for your home subdomain?

Scott Garman sgarman at zenlinux.com
Wed Apr 2 11:17:12 EDT 2008 

I recently posted this on my blog, but figured that if there was anyone 
I knew who could come up with a better solution, it would be someone on 
this list...

Scott

----

Secure shell (ssh) uses cryptographic keys to uniquely identify 
(fingerprint) the hosts that you connect to. Once you connect to a new 
host, the fingerprint string is added to a file called known_hosts in 
your ~/.ssh directory. Then, every time you reconnect to that host, the 
fingerprint is checked to ensure it hasn’t changed.

This is an important security feature, because if the saved fingerprint 
doesn’t match, it could be because someone is maliciously spoofing the 
server you’re trying to connect to as part of a man-in-the-middle (MITM) 
type attack. However, in this modern age, some of us have local networks 
with numerous devices/laptops which change their IP address regularly 
due to DHCP. When this happens and you ssh to a device now using the 
same IP that a previous device used (and for which you have the host 
fingerprint saved), you get a nastygram from ssh and it refuses to allow 
you to connect to the device. Then you must clear the fingerprint from 
your ~/.ssh/known_hosts file and reconnect. This gets old really quickly.

So I spent some time today reviewing ssh configuration options to 
disable this host key checking for my home network subnet. Upon first 
glance, the StrictHostKeyChecking option seems like the one you’d want 
to change, but in fact setting it to “no” still does not allow you to 
ssh to a host when the saved fingerprint doesn’t match up.

In resignation, I instead hacked up a different solution, and now tell 
ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host 
keys for my local subnet. If anyone knows a better solution to this, 
please enlighten me. Here is my final ~/.ssh/config file:

Host 192.168.1.*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

Note that for hosts outside of my home subnet, the host key checking is 
still enforced (as it should be).

More information about the gnhlug-discuss mailing list