Avoiding ssh host key lookups for your home subdomain?

Bruce Dawson jbd at codemeta.com
Wed Apr 2 11:28:46 EDT 2008 

Scott Garman wrote:
> I recently posted this on my blog, but figured that if there was anyone 
> I knew who could come up with a better solution, it would be someone on 
> this list...
>
> Scott
>
> ----
>
> Secure shell (ssh) uses cryptographic keys to uniquely identify 
> (fingerprint) the hosts that you connect to. Once you connect to a new 
> host, the fingerprint string is added to a file called known_hosts in 
> your ~/.ssh directory. Then, every time you reconnect to that host, the 
> fingerprint is checked to ensure it hasn’t changed.
>
> This is an important security feature, because if the saved fingerprint 
> doesn’t match, it could be because someone is maliciously spoofing the 
> server you’re trying to connect to as part of a man-in-the-middle (MITM) 
> type attack. However, in this modern age, some of us have local networks 
> with numerous devices/laptops which change their IP address regularly 
> due to DHCP. When this happens and you ssh to a device now using the 
> same IP that a previous device used (and for which you have the host 
> fingerprint saved), you get a nastygram from ssh and it refuses to allow 
> you to connect to the device. Then you must clear the fingerprint from 
> your ~/.ssh/known_hosts file and reconnect. This gets old really quickly.
>
> So I spent some time today reviewing ssh configuration options to 
> disable this host key checking for my home network subnet. Upon first 
> glance, the StrictHostKeyChecking option seems like the one you’d want 
> to change, but in fact setting it to “no” still does not allow you to 
> ssh to a host when the saved fingerprint doesn’t match up.
>
> In resignation, I instead hacked up a different solution, and now tell 
> ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host 
> keys for my local subnet. If anyone knows a better solution to this, 
> please enlighten me. Here is my final ~/.ssh/config file:
>
> Host 192.168.1.*
> StrictHostKeyChecking no
> UserKnownHostsFile /dev/null
>
> Note that for hosts outside of my home subnet, the host key checking is 
> still enforced (as it should be).
>   
You can pre-load the host keys in /etc/ssh/ssh_known_hosts. (Don't
forget to prefix each line with the hostname/IP address; yes - you can
use wildcards - see sshd(8)).

--Bruce

More information about the gnhlug-discuss mailing list