Tobias Karlsson wrote:
> Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence.

Agreed!

> However, I have a request:
>
> I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes.

I've often thought about this too, however I can't bring myself to
skipping hostkey checks all together, that's just crazy talk. One thing
I thought might be reasonable was a .ssh/unknown_hosts file where you
could list hostsnames or IPs or maybe even IP ranges that would not be
strictly enforced. Maybe it would still cache the key and let you know
its changed (useful for when someone reinstalls your lab system without
telling you.) Of course, I haven't started working on this patch, so...

-matt
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

--On June 20, 2008 11:04:18 AM -0700 Tobias Karlsson
wrote:

> Let me start by saying that I think OpenSSH is a great tool and thanks to
> everyone contributing to it's existence.
>
> However, I have a request:
>
> I'd like to have a flag that ignores the check of the host key. I'm fully
> aware of that this opens up for man-in-the-middle attacks and that there
> is a risk of lazy users mis-using this feature, but it would be very
> useful for us using SSH in a lab environment where the host key of the
> equipment frequently changes.

StrictHostKeyChecking [yes|no|ask] defaults to ask.

ssh -o 'StrictHostKeyChecking no'
or in ~/.ssh/config/.


>
>
>
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/li...enssh-unix-dev



--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

Sorry I hit send before I finished composing....

Using that option in combination with some form of DDNS update script and
VerifyHostKeyDNS would get you what you want, with current software. It is
a workaround, yes.

--On June 20, 2008 1:14:04 PM -0600 Michael Loftis
wrote:

>
> --On June 20, 2008 11:04:18 AM -0700 Tobias Karlsson
> wrote:
>
>> Let me start by saying that I think OpenSSH is a great tool and thanks to
>> everyone contributing to it's existence.
>>
>> However, I have a request:
>>
>> I'd like to have a flag that ignores the check of the host key. I'm fully
>> aware of that this opens up for man-in-the-middle attacks and that there
>> is a risk of lazy users mis-using this feature, but it would be very
>> useful for us using SSH in a lab environment where the host key of the
>> equipment frequently changes.
>
> StrictHostKeyChecking [yes|no|ask] defaults to ask.
>
> ssh -o 'StrictHostKeyChecking no'
> or in ~/.ssh/config/.
>
>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev@mindrot.org
>> https://lists.mindrot.org/mailman/li...enssh-unix-dev
>
>
>
> --
> "Genius might be described as a supreme capacity for getting its
> possessors into trouble of all kinds."
> -- Samuel Butler
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/li...enssh-unix-dev



--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

On Fri, Jun 20, 2008 at 7:04 PM, Tobias Karlsson
wrote:
> Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence.
>
> However, I have a request:
>
> I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes.
>

Try setting the following:
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

- Niall
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQIVAwUBSF5UtszS7ZTSFznpAQI4Vg/+IpC+RDdWa4baDidRHggeqF8VtyWmu0Qx
liOnSyP/7DZ49Vr1VSOLk9jjNSLO6WdBHH5EMGpfXWsdkjn0K8/LRW6kcl/R5lHS
e+bwCadsyoBBGKJQ1+05wwUPuHswW9AbVhnt0EU46jNbv0hwc0 jXsm1/WFzQX7AP
Btf/E0l+DsoNNWMcYfG1C2VinEH2jvchIKjMBn+7zmxQ1/QyURTIGLYxAhz8Rsqu
AVwoq0hVOu6zgrU4bT6q0JLqrXmKF5VIYXU2ZP4FU6+I9nEDqN y7vH1AYlwzYCsV
vjOkqDKIB/Ix3UohxisWnR8oqPMpXy6R8dcmQBwW7eSMazsWp5sXtB0Ty41G qKsZ
JiYBQX3W4jkXEw9OtvyT50kgJ6nEj7hNXIJxqim9cLK8HrEJEW Mc/htZ7NYxQehL
C7+eBh7wfIJ9YESrfiJLPfxSa3wkzJo1mFYT84RCwRkueRZoFw TeAQLo6Og80ne6
sc6sAQbN+mX+g/K+G7JSnljOJdIupOyIkzA7//DTEkP9zhMSxiiD8/gUDqVGSY9e
ClIBuMenJmDCda3EvKD2CFvCBR6j68rPubtFOTjLv8nVSRk9Up Etr9xUbOoH3kk3
HQ4soagbOdsRi893/3oJFMDa7T9+ThrV0ek/RlpRqjMKbPgxo061nUVbGDvAwQRL
Nf1G2a07Io8=
=Zp0Z
-----END PGP SIGNATURE-----

Daniel Kahn Gillmor wrote:
> Even better would be to enclose those directives underneath a Host
> statement that limits these options to the hosts which you expect to
> behave in this suboptimal way. e.g.:
>
> Host *.lab.example.org
> UserKnownHostsFile /dev/null
> StrictHostKeyChecking no
>
> That way you don't lose the host key checking protection for any other
> hosts.

Right, this setup looks ideal for my issue.

> Alternately, you could find ways to prevent the host keys on these
> machines from changing -- why are they changing like this?

In my case at least the OS is blown away and reinstalled fairly often.
I guess the keys could be saved off on another host and then copied back
each time, but those config file changes above would really simplify
things for the couple persistent systems that connect in.

-matt
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

Matt Anderson wrote:
> In my case at least the OS is blown away and reinstalled fairly often.
> I guess the keys could be saved off on another host and then copied back
> each time, but those config file changes above would really simplify
> things for the couple persistent systems that connect in.

The previous solution is probably better but as an alternative you
could teach the client about the new key after it is generated.
Depending upon many things it might be convenient to install random
key and then set the client's known_hosts file with the new key using
ssh-keyscan. Just a thought...

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev