Flag to turn off host-key check - openssh

This is a discussion on Flag to turn off host-key check - openssh ; Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence. However, I have a request: I'd like to have a flag that ignores the check of the host key. ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Flag to turn off host-key check

  1. Flag to turn off host-key check

    Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence.

    However, I have a request:

    I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes.






    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: Flag to turn off host-key check

    Tobias Karlsson wrote:
    > Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence.


    Agreed!

    > However, I have a request:
    >
    > I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes.


    I've often thought about this too, however I can't bring myself to
    skipping hostkey checks all together, that's just crazy talk. One thing
    I thought might be reasonable was a .ssh/unknown_hosts file where you
    could list hostsnames or IPs or maybe even IP ranges that would not be
    strictly enforced. Maybe it would still cache the key and let you know
    its changed (useful for when someone reinstalls your lab system without
    telling you.) Of course, I haven't started working on this patch, so...

    -matt
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  3. Re: Flag to turn off host-key check


    --On June 20, 2008 11:04:18 AM -0700 Tobias Karlsson
    wrote:

    > Let me start by saying that I think OpenSSH is a great tool and thanks to
    > everyone contributing to it's existence.
    >
    > However, I have a request:
    >
    > I'd like to have a flag that ignores the check of the host key. I'm fully
    > aware of that this opens up for man-in-the-middle attacks and that there
    > is a risk of lazy users mis-using this feature, but it would be very
    > useful for us using SSH in a lab environment where the host key of the
    > equipment frequently changes.


    StrictHostKeyChecking [yes|no|ask] defaults to ask.

    ssh -o 'StrictHostKeyChecking no'
    or in ~/.ssh/config/.


    >
    >
    >
    >
    >
    >
    > _______________________________________________
    > openssh-unix-dev mailing list
    > openssh-unix-dev@mindrot.org
    > https://lists.mindrot.org/mailman/li...enssh-unix-dev




    --
    "Genius might be described as a supreme capacity for getting its possessors
    into trouble of all kinds."
    -- Samuel Butler
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  4. Re: Flag to turn off host-key check

    Sorry I hit send before I finished composing....

    Using that option in combination with some form of DDNS update script and
    VerifyHostKeyDNS would get you what you want, with current software. It is
    a workaround, yes.

    --On June 20, 2008 1:14:04 PM -0600 Michael Loftis
    wrote:

    >
    > --On June 20, 2008 11:04:18 AM -0700 Tobias Karlsson
    > wrote:
    >
    >> Let me start by saying that I think OpenSSH is a great tool and thanks to
    >> everyone contributing to it's existence.
    >>
    >> However, I have a request:
    >>
    >> I'd like to have a flag that ignores the check of the host key. I'm fully
    >> aware of that this opens up for man-in-the-middle attacks and that there
    >> is a risk of lazy users mis-using this feature, but it would be very
    >> useful for us using SSH in a lab environment where the host key of the
    >> equipment frequently changes.

    >
    > StrictHostKeyChecking [yes|no|ask] defaults to ask.
    >
    > ssh -o 'StrictHostKeyChecking no'
    > or in ~/.ssh/config/.
    >
    >
    >>
    >>
    >>
    >>
    >>
    >>
    >> _______________________________________________
    >> openssh-unix-dev mailing list
    >> openssh-unix-dev@mindrot.org
    >> https://lists.mindrot.org/mailman/li...enssh-unix-dev

    >
    >
    >
    > --
    > "Genius might be described as a supreme capacity for getting its
    > possessors into trouble of all kinds."
    > -- Samuel Butler
    > _______________________________________________
    > openssh-unix-dev mailing list
    > openssh-unix-dev@mindrot.org
    > https://lists.mindrot.org/mailman/li...enssh-unix-dev




    --
    "Genius might be described as a supreme capacity for getting its possessors
    into trouble of all kinds."
    -- Samuel Butler
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  5. Re: Flag to turn off host-key check

    On Fri, Jun 20, 2008 at 7:04 PM, Tobias Karlsson
    wrote:
    > Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence.
    >
    > However, I have a request:
    >
    > I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes.
    >


    Try setting the following:
    UserKnownHostsFile /dev/null
    StrictHostKeyChecking no

    - Niall
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  6. Re: Flag to turn off host-key check

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iQIVAwUBSF5UtszS7ZTSFznpAQI4Vg/+IpC+RDdWa4baDidRHggeqF8VtyWmu0Qx
    liOnSyP/7DZ49Vr1VSOLk9jjNSLO6WdBHH5EMGpfXWsdkjn0K8/LRW6kcl/R5lHS
    e+bwCadsyoBBGKJQ1+05wwUPuHswW9AbVhnt0EU46jNbv0hwc0 jXsm1/WFzQX7AP
    Btf/E0l+DsoNNWMcYfG1C2VinEH2jvchIKjMBn+7zmxQ1/QyURTIGLYxAhz8Rsqu
    AVwoq0hVOu6zgrU4bT6q0JLqrXmKF5VIYXU2ZP4FU6+I9nEDqN y7vH1AYlwzYCsV
    vjOkqDKIB/Ix3UohxisWnR8oqPMpXy6R8dcmQBwW7eSMazsWp5sXtB0Ty41G qKsZ
    JiYBQX3W4jkXEw9OtvyT50kgJ6nEj7hNXIJxqim9cLK8HrEJEW Mc/htZ7NYxQehL
    C7+eBh7wfIJ9YESrfiJLPfxSa3wkzJo1mFYT84RCwRkueRZoFw TeAQLo6Og80ne6
    sc6sAQbN+mX+g/K+G7JSnljOJdIupOyIkzA7//DTEkP9zhMSxiiD8/gUDqVGSY9e
    ClIBuMenJmDCda3EvKD2CFvCBR6j68rPubtFOTjLv8nVSRk9Up Etr9xUbOoH3kk3
    HQ4soagbOdsRi893/3oJFMDa7T9+ThrV0ek/RlpRqjMKbPgxo061nUVbGDvAwQRL
    Nf1G2a07Io8=
    =Zp0Z
    -----END PGP SIGNATURE-----

  7. Re: Flag to turn off host-key check

    Daniel Kahn Gillmor wrote:
    > Even better would be to enclose those directives underneath a Host
    > statement that limits these options to the hosts which you expect to
    > behave in this suboptimal way. e.g.:
    >
    > Host *.lab.example.org
    > UserKnownHostsFile /dev/null
    > StrictHostKeyChecking no
    >
    > That way you don't lose the host key checking protection for any other
    > hosts.


    Right, this setup looks ideal for my issue.

    > Alternately, you could find ways to prevent the host keys on these
    > machines from changing -- why are they changing like this?


    In my case at least the OS is blown away and reinstalled fairly often.
    I guess the keys could be saved off on another host and then copied back
    each time, but those config file changes above would really simplify
    things for the couple persistent systems that connect in.

    -matt
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  8. Re: Flag to turn off host-key check

    Matt Anderson wrote:
    > In my case at least the OS is blown away and reinstalled fairly often.
    > I guess the keys could be saved off on another host and then copied back
    > each time, but those config file changes above would really simplify
    > things for the couple persistent systems that connect in.


    The previous solution is probably better but as an alternative you
    could teach the client about the new key after it is generated.
    Depending upon many things it might be convenient to install random
    key and then set the client's known_hosts file with the new key using
    ssh-keyscan. Just a thought...

    Bob
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread