Avoiding ssh host key lookups for your home subdomain?
Paul Lussier
p.lussier at comcast.net
Wed Apr 2 14:45:47 EDT 2008
Scott Garman <sgarman at zenlinux.com> writes:
> In resignation, I instead hacked up a different solution, and now tell
> ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host
> keys for my local subnet. If anyone knows a better solution to this,
> please enlighten me. Here is my final ~/.ssh/config file:
>
> Host 192.168.1.*
> StrictHostKeyChecking no
This should still work. We use it all the time. The other thing you
could do is to never change your host keys, when you re-install,
re-install old, cached keys. We do this all the time too. With 400+
systems which get reinstalled on the order of 10-100 times a week, we
maintain a universal /etc/ssh/ssh_known_hosts file with the ssh keys
generated when a system is added to our lab network. That hostname
then, forever, has those keys.
We cache them in an NFS volume, gpg encrypted, and upon re-install,
they're decrypted, and re-installed on the "new" system. We even have
a 'fixssh' script which does all this for us, which I'd be happy to
share as well.
If you truly want to avoid host key lookup entirely, use Kerberos!
Works like a charm.
--
Seeya,
Paul
More information about the gnhlug-discuss
mailing list