SSH auto trust all host keys,how to? - SSH

This is a discussion on SSH auto trust all host keys,how to? - SSH ; Hello, Im using putty with a SSH server, im using it in a batch file and I needed to know if there is a possiblity to allow all host keys to be trusted? because I dont want plink to ask ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: SSH auto trust all host keys,how to?

  1. SSH auto trust all host keys,how to?

    Hello,
    Im using putty with a SSH server, im using it in a batch file and I
    needed to know
    if there is a possiblity to allow all host keys to be trusted? because
    I dont want plink
    to ask to confirm changed host key just continue you its job.

    Also I would like you to know how can I log all that is happening in
    plink?
    and where does plink store its host keys? I must make it so it will
    allow host keys, since im making a auto script that will pass on to
    other computers.


  2. Re: SSH auto trust all host keys,how to?

    In comp.security.ssh SSKillZ :
    > Hello,


    > Im using putty with a SSH server, im using it in a batch file
    > and I needed to know if there is a possiblity to allow all host
    > keys to be trusted? because I dont want plink to ask to confirm
    > changed host key just continue you its job.


    Dunno what 'plink' is about? Never heard, however openssh ssh
    client has an option to turn off HostKey checking to accept any,
    'man ssh' probably has the full information. Even if this isn't a
    genuine idea, there is 'ssh-keyscan' made to gather ssh public
    keys for you.

    > Also I would like you to know how can I log all that is
    > happening in plink? and where does plink store its host keys?
    > I must make it so it will allow host keys, since im making a
    > auto script that will pass on to other computers.


    Using 'script' might be an option, seems to me you might just use
    the complete wrong OS which perhaps misses any default installed
    tools to easily automate tasks? Your task sounds trivial running
    any *nix OS.

    BTW
    Since you might be new to usenet, this is *NOT* a groups.google
    forum, even if it looks like this to you, please quote context:

    "Google Groups users please read - Howto reply properly"
    http://groups.google.com/support/bin...y?answer=14213

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 158: Defunct processes

  3. Re: SSH auto trust all host keys,how to?



  4. Re: SSH auto trust all host keys,how to?


    > Dunno what 'plink' is about? Never heard, however openssh ssh
    > client has an option to turn off HostKey checking to accept any,
    > 'man ssh' probably has the full information. Even if this isn't a
    > genuine idea, there is 'ssh-keyscan' made to gather ssh public
    > keys for you.


    I really dont get what is a ssh public key, and I really dont know how
    can someone fake a SSH server which has a static IP and send me a false
    host key, so I really dont need the host key for the SSH connection. I
    just use SSH because this is the way I can shutdown or restart programs
    runing on my remote linux server. Its just im making a script that ill
    hand out for other ppl so they can fill in SSH details and just presss
    a button and restart a program (never mind the name now) , so the SSH
    server is changing between those people using my script and so is the
    host key, thats why everyone of them need to prompt the key and it wont
    be automatic..

    Plink is like putty just for command line avalable on Putty's site:
    http://the.earth.li/~sgtatham/putty/...er7.html#plink

    So you said OpenSSH client has the option I want? ,Does it work in the
    command line of windows also ? and can be used for the command line?
    10x for the quick reply, and for further messages :|


  5. Re: SSH auto trust all host keys,how to?

    In the PuTTY manual read Appendix A (FAQ) Question A.2.9

    Russ...


    SSKillZ wrote:
    > > Dunno what 'plink' is about? Never heard, however openssh ssh
    > > client has an option to turn off HostKey checking to accept any,
    > > 'man ssh' probably has the full information. Even if this isn't a
    > > genuine idea, there is 'ssh-keyscan' made to gather ssh public
    > > keys for you.

    >
    > I really dont get what is a ssh public key, and I really dont know how
    > can someone fake a SSH server which has a static IP and send me a false
    > host key, so I really dont need the host key for the SSH connection. I
    > just use SSH because this is the way I can shutdown or restart programs
    > runing on my remote linux server. Its just im making a script that ill
    > hand out for other ppl so they can fill in SSH details and just presss
    > a button and restart a program (never mind the name now) , so the SSH
    > server is changing between those people using my script and so is the
    > host key, thats why everyone of them need to prompt the key and it wont
    > be automatic..
    >
    > Plink is like putty just for command line avalable on Putty's site:
    > http://the.earth.li/~sgtatham/putty/...er7.html#plink
    >
    > So you said OpenSSH client has the option I want? ,Does it work in the
    > command line of windows also ? and can be used for the command line?
    > 10x for the quick reply, and for further messages :|



  6. Re: SSH auto trust all host keys,how to?


    > >
    > > So you said OpenSSH client has the option I want? ,Does it work in the
    > > command line of windows also ? and can be used for the command line?
    > > 10x for the quick reply, and for further messages :|


    I know im askin now about another client who has this option,
    or atleast a option to log whats happeing in the session.


  7. Re: SSH auto trust all host keys,how to?

    SSKillZ wrote:
    > Hello,
    > Im using putty with a SSH server, im using it in a batch file and I
    > needed to know
    > if there is a possiblity to allow all host keys to be trusted? because
    > I dont want plink
    > to ask to confirm changed host key just continue you its job.
    >
    > Also I would like you to know how can I log all that is happening in
    > plink?
    > and where does plink store its host keys? I must make it so it will
    > allow host keys, since im making a auto script that will pass on to
    > other computers.


    I had a similiar problem before. When you make an ssh connection
    to a server for the first time, putty will ask if you want to save the
    host key. What I did is
    echo yes | plink ....
    it will automatically answer/pipe "yes" to the question.

    I am not sure if it also works for Changed host key.
    A.2.9 Is there an option to turn off the annoying host key prompts?
    http://www.chiark.greenend.org.uk/~s...l#faq-hostkeys


  8. Re: SSH auto trust all host keys,how to?

    can you show me the example of your "echo yes" sciript?
    is it all in batch?

    Also I must know how can I start a log file with a paramter with plink
    or putty from the command line, there is a option to log every output
    in putty GUI, but I can find how from the command-line. 10x ahead for
    any reply :|


  9. Re: SSH auto trust all host keys,how to?

    In comp.security.ssh SSKillZ :

    >> Dunno what 'plink' is about? Never heard, however openssh ssh
    >> client has an option to turn off HostKey checking to accept any,
    >> 'man ssh' probably has the full information. Even if this isn't a
    >> genuine idea, there is 'ssh-keyscan' made to gather ssh public
    >> keys for you.


    > I really dont get what is a ssh public key, and I really dont know how
    > can someone fake a SSH server which has a static IP and send me a false


    Zero problem if he controls the network, ssh provides a secure
    channel through "trusted" and untrusted networks, the (public)
    *host* key is essential to be sure the host is really the one you
    think it is. How would you go about establishing a secure
    connection if you can't even be sure where you are connecting?

    > host key, so I really dont need the host key for the SSH connection. I
    > just use SSH because this is the way I can shutdown or restart programs
    > runing on my remote linux server. Its just im making a script that ill
    > hand out for other ppl so they can fill in SSH details and just presss
    > a button and restart a program (never mind the name now) , so the SSH
    > server is changing between those people using my script and so is the
    > host key, thats why everyone of them need to prompt the key and it wont
    > be automatic..


    So why do you store the key inside the script or put it in users
    ~/.ssh/known_host? They just need to accept the key ones. Should
    it ever change you can be sure there's something wrong. And need
    to check for reasons.

    [..]

    > So you said OpenSSH client has the option I want? ,Does it work in the


    It has some options to do so, even if it doesn't sound you should
    use the option.

    > command line of windows also ? and can be used for the command line?
    > 10x for the quick reply, and for further messages :|


    Iirc you can run openssh from cygwin.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 417: Computer room being moved. Our systems are
    down for the weekend.

  10. Re: SSH auto trust all host keys,how to?

    Oh I got it, but I cant try it now,
    its
    echo yes | plink -l ..............
    right? Its a good idea ,ill try it when regain my access

    Also Im searching how can I start loging the output from the command
    line??!
    10x ahead


  11. Re: SSH auto trust all host keys,how to?

    SSKillZ wrote:
    >> Dunno what 'plink' is about? Never heard, however openssh ssh
    >> client has an option to turn off HostKey checking to accept any,
    >> 'man ssh' probably has the full information. Even if this isn't a
    >> genuine idea, there is 'ssh-keyscan' made to gather ssh public
    >> keys for you.

    >
    > I really dont get what is a ssh public key, and I really dont know how
    > can someone fake a SSH server which has a static IP and send me a false
    > host key, so I really dont need the host key for the SSH connection. I
    > just use SSH because this is the way I can shutdown or restart programs
    > runing on my remote linux server. Its just im making a script that ill
    > hand out for other ppl so they can fill in SSH details and just presss
    > a button and restart a program (never mind the name now) , so the SSH
    > server is changing between those people using my script and so is the
    > host key, thats why everyone of them need to prompt the key and it wont
    > be automatic..
    >
    > Plink is like putty just for command line avalable on Putty's site:
    > http://the.earth.li/~sgtatham/putty/...er7.html#plink
    >
    > So you said OpenSSH client has the option I want? ,Does it work in the
    > command line of windows also ? and can be used for the command line?
    > 10x for the quick reply, and for further messages :|
    >


    IP addresses are very easy to fake.

  12. Re: SSH auto trust all host keys,how to?

    this metod:
    echo yes | plink -l ..
    worked like a charm thank you very much!! very good idea!
    Also , How can someone fake a static IP address my server gave me ?
    its constant!


  13. Re: SSH auto trust all host keys,how to?

    SSKillZ wrote:
    > this metod:
    > echo yes | plink -l ..
    > worked like a charm thank you very much!! very good idea!
    > Also , How can someone fake a static IP address my server gave me ?
    > its constant!


    Glad it helps. I posted another method about your log question,
    but it did not show up.
    The way I logged plink is to redirect stdout and stderr to a file:
    echo yes | plink ... >C:\tmp\tmp1 2>C:\tmp\tmp2
    then you could do logging/parsing based on those two files.

    James


  14. Re: SSH auto trust all host keys,how to?

    Chuck wrote:
    > SSKillZ wrote:
    >>> Dunno what 'plink' is about? Never heard, however openssh ssh
    >>> client has an option to turn off HostKey checking to accept any,
    >>> 'man ssh' probably has the full information. Even if this isn't a
    >>> genuine idea, there is 'ssh-keyscan' made to gather ssh public
    >>> keys for you.

    >> I really dont get what is a ssh public key, and I really dont know how
    >> can someone fake a SSH server which has a static IP and send me a false
    >> host key, so I really dont need the host key for the SSH connection. I
    >> just use SSH because this is the way I can shutdown or restart programs
    >> runing on my remote linux server. Its just im making a script that ill
    >> hand out for other ppl so they can fill in SSH details and just presss
    >> a button and restart a program (never mind the name now) , so the SSH
    >> server is changing between those people using my script and so is the
    >> host key, thats why everyone of them need to prompt the key and it wont
    >> be automatic..
    >>
    >> Plink is like putty just for command line avalable on Putty's site:
    >> http://the.earth.li/~sgtatham/putty/...er7.html#plink
    >>
    >> So you said OpenSSH client has the option I want? ,Does it work in the
    >> command line of windows also ? and can be used for the command line?
    >> 10x for the quick reply, and for further messages :|
    >>

    >
    > IP addresses are very easy to fake.



    I'm glad it worked for you, but do you realize that what you're doing is
    akin to telling your web browser to accept any server's certificate
    without question? If I ended up on a "secure" server who's certificate
    was self signed, expired, or had some other problem I would stop right
    there before providing any information. I could easily be connected to
    spoofed server who's trying to steal a password, credit card number, or
    any other piece of information that they can trick me into giving.

    To fake (spoof) an IP in windows takes about 20 seconds. Control Panel -
    Network Connections - Local Area Connection - Properties - TCP/IP
    Protocol, Properties - Use the Following IP Address. You can enter
    whatever you want there.

    It's been years since I did it on Linux but IIRC it was just a matter of
    editing a file or two in /etc.

  15. Re: SSH auto trust all host keys,how to?

    >>>>> "Chuck" == Chuck writes:

    Chuck> To fake (spoof) an IP in windows takes about 20
    Chuck> seconds. Control Panel - Network Connections - Local Area
    Chuck> Connection - Properties - TCP/IP Protocol, Properties - Use the
    Chuck> Following IP Address. You can enter whatever you want there.

    You are oversimplifying. It is simple to set another address; it is not
    so simple to use it. This by itself won't help you unless the host you're
    trying to spoof is on the same IP network as you, since otherwise the
    return traffic of the TCP connection will not come back to you. Even so,
    frequently there will be outbound filters on an enclosing network
    preventing your spoofed packets from even leaving, since their source addresses
    do not lie in the correct networks. And if the spoofed host is up at the
    same time, your computer will probably refuse to use the address, due to
    detecting via ARP traffic that another host is using the address; you'd
    need special exploit software.

    It's a bad idea to rely on source IP addresses for security, but at the
    same time let's not overstate the reality of the problem.

    --
    Richard Silverman
    res@qoxp.net


  16. Re: SSH auto trust all host keys,how to?

    Richard E. Silverman wrote:
    >>>>>> "Chuck" == Chuck writes:

    >
    > Chuck> To fake (spoof) an IP in windows takes about 20
    > Chuck> seconds. Control Panel - Network Connections - Local Area
    > Chuck> Connection - Properties - TCP/IP Protocol, Properties - Use the
    > Chuck> Following IP Address. You can enter whatever you want there.
    >
    > You are oversimplifying. It is simple to set another address; it is not
    > so simple to use it. This by itself won't help you unless the host you're
    > trying to spoof is on the same IP network as you, since otherwise the
    > return traffic of the TCP connection will not come back to you. Even so,
    > frequently there will be outbound filters on an enclosing network
    > preventing your spoofed packets from even leaving, since their source addresses
    > do not lie in the correct networks. And if the spoofed host is up at the
    > same time, your computer will probably refuse to use the address, due to
    > detecting via ARP traffic that another host is using the address; you'd
    > need special exploit software.
    >
    > It's a bad idea to rely on source IP addresses for security, but at the
    > same time let's not overstate the reality of the problem.
    >


    Not all attacks come from outside your network. This idea is often
    overlooked.

  17. Re: SSH auto trust all host keys,how to?

    >>>>> "Chuck" == Chuck writes:

    Chuck> Richard E. Silverman wrote:
    >>>>>>> "Chuck" == Chuck writes:

    >>

    Chuck> To fake (spoof) an IP in windows takes about 20
    Chuck> seconds. Control Panel - Network Connections - Local Area
    Chuck> Connection - Properties - TCP/IP Protocol, Properties - Use the
    Chuck> Following IP Address. You can enter whatever you want there.

    >> You are oversimplifying. It is simple to set another address; it
    >> is not so simple to use it. This by itself won't help you unless
    >> the host you're trying to spoof is on the same IP network as you,
    >> since otherwise the return traffic of the TCP connection will not
    >> come back to you. Even so, frequently there will be outbound
    >> filters on an enclosing network preventing your spoofed packets
    >> from even leaving, since their source addresses do not lie in the
    >> correct networks. And if the spoofed host is up at the same time,
    >> your computer will probably refuse to use the address, due to
    >> detecting via ARP traffic that another host is using the address;
    >> you'd need special exploit software.
    >>
    >> It's a bad idea to rely on source IP addresses for security, but at
    >> the same time let's not overstate the reality of the problem.
    >>


    Chuck> Not all attacks come from outside your network. This idea is
    Chuck> often overlooked.

    Re-read:

    >> ... This by itself won't help you unless the host you're trying to
    >> spoof is on the same IP network as you, ....


    --
    Richard Silverman
    res@qoxp.net


  18. Re: SSH auto trust all host keys,how to?

    Richard E. Silverman wrote:
    >>>>>> "Chuck" == Chuck writes:


    >
    > Chuck> Not all attacks come from outside your network. This idea is
    > Chuck> often overlooked.
    >
    > Re-read:
    >
    > >> ... This by itself won't help you unless the host you're trying to
    > >> spoof is on the same IP network as you, ....

    >


    Saw that the first time. I just wanted to emphasize a point that is
    often overlooked. Most network and system admins spend 99% of their
    efforts protecting against hi-tech external attacks when most successful
    attacks are either low tech or internal.

    Case in point is a guy I know who secured every aspect of his network
    application with SSL - except for the printer used to print paychecks.
    Wouldn't you know it that someone set up a packet sniffer on the
    printer's subnet and was able to steal payroll info.

    In another case, a company I used to work for hired a security auditor
    who was able to get application passwords by very low-tech means. He
    called the computer room posing as an irate executive who couldn't log
    on, and someone just gave him the password over the phone. Needles to
    say heads rolled (not mine).

+ Reply to Thread