CheckHostIP not stopping known_hosts - SSH

This is a discussion on CheckHostIP not stopping known_hosts - SSH ; Are there other settings on the server or other options to use with -o to turn off known_hosts checking? I have multiple hosts behind a firewall on different ports but try as I might to use various options such as ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: CheckHostIP not stopping known_hosts

  1. CheckHostIP not stopping known_hosts

    Are there other settings on the server or other options to use
    with -o to turn off known_hosts checking? I have multiple
    hosts behind a firewall on different ports but try as I might
    to use various options such as CheckHostIP=no and
    StrictHostKeyChecking=no in various locations and on
    the cmd line it just never works. Read the man page some
    more, do a search, try different versions, yadda yadda.
    Waved the red crystal but need the secret incantation...

    OpenSSH_3.6.1p2 & OpenSSH_3.9p1, RHEL 3 & 4.

    Don


  2. Re: CheckHostIP not stopping known_hosts

    >>>>> "dshesnicky" == dshesnicky writes:

    dshesnicky> Are there other settings on the server or other options to
    dshesnicky> use with -o to turn off known_hosts checking?

    No.

    dshesnicky> I have multiple hosts behind a firewall on different ports but
    dshesnicky> try as I might to use various options such as
    dshesnicky> CheckHostIP=no and StrictHostKeyChecking=no in various
    dshesnicky> locations and on the cmd line it just never works. Read
    dshesnicky> the man page some more, do a search, try different
    dshesnicky> versions, yadda yadda. Waved the red crystal but need the
    dshesnicky> secret incantation...

    dshesnicky> OpenSSH_3.6.1p2 & OpenSSH_3.9p1, RHEL 3 & 4.

    Just authorize multiple keys on the same host:

    firewall,host1 ssh-rsa
    firewall,host2 ssh-rsa
    ....

    --
    Richard Silverman
    res@qoxp.net


  3. Re: CheckHostIP not stopping known_hosts

    On 2006-06-23, Richard E. Silverman wrote:
    >>>>>> "dshesnicky" == dshesnicky writes:

    >
    > dshesnicky> Are there other settings on the server or other options to
    > dshesnicky> use with -o to turn off known_hosts checking?
    >
    > No.


    Actually you can on the client side (as long as the host key isn't in
    the system-wide known_hosts file) but it's still a bad idea for obvious
    reasons.

    To the OP: See below for alternate solutions.

    > dshesnicky> I have multiple hosts behind a firewall on different ports but
    > dshesnicky> try as I might to use various options such as
    > dshesnicky> CheckHostIP=no and StrictHostKeyChecking=no in various
    > dshesnicky> locations and on the cmd line it just never works. Read
    > dshesnicky> the man page some more, do a search, try different
    > dshesnicky> versions, yadda yadda. Waved the red crystal but need the
    > dshesnicky> secret incantation...
    >
    > dshesnicky> OpenSSH_3.6.1p2 & OpenSSH_3.9p1, RHEL 3 & 4.
    >
    > Just authorize multiple keys on the same host:
    >
    > firewall,host1 ssh-rsa
    > firewall,host2 ssh-rsa


    Or use a HostKeyAlias in ~/.ssh/config:

    Host hosta
    Hostname firewall
    Port 1234
    HostKeyAlias hosta

    Host hostb
    Hostname firewall
    Port 1235
    HostKeyAlias hostb

    or the equivalent command line:

    $ ssh -o hostkeyalias=hosta -p 1234 firewall

    or try the patch here:
    http://bugzilla.mindrot.org/show_bug.cgi?id=910
    (and if you do try the patch please report success or failure).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread