completely suppress remote host identification checking for trusted local servers

Ben bda20 at cam.ac.uk
Sat Aug 28 06:34:28 UTC 2010 

On Fri, 27 Aug 2010, Rahul Nabar wrote:

> Whenever I re-install a server ssh issues a warning:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> f1:7c:70:31:8f:2a:da:eb:21:37:e9:1a:6c:3d:d4:7a.
> Please contact your system administrator.
> Add correct host key in /home/foo/.ssh/known_hosts to get rid of this message.
> Offending key in /home/foo/.ssh/known_hosts:218
> Password authentication is disabled to avoid man-in-the-middle attacks.
> Keyboard-interactive authentication is disabled to avoid
> man-in-the-middle attacks.
>
> But these are local compute-nodes in a cluster so that warning is
> quite superfluous. In order to suppress this ssh warning I trick ssh
> by this hack:
>
> cat ~foo/.ssh/config
> host local_server_name*
>   StrictHostKeyChecking no
>   UserKnownHostsFile=/dev/null
>
> But I still get ssh going through the unnecessary step where it still
> adds to the non-exisitant known_hosts file.
>
> Warning: Permanently added 'eu003,10.0.0.3' (RSA) to the list of known hosts.
> Warning: Permanently added 'eu004,10.0.0.4' (RSA) to the list of known hosts.
> [snip]
>
> This does add an overhead at startup of jobs that ssh to multiple
> servers. Is there a better way out to completely suppress remote host
> identification checks?

Yes.  Once you've built a server, zip up the files /etc/ssh/ssh_host_* and 
copy them off to your build server with the name of the server as the zip's 
file name.  When you rebuild, make part of the post install process copying 
the zip back and unzipping it in the freshly created /etc/ssh/.  That way 
that server will always have the same host keys.

Ben
-- 
Unix Support, MISD, University of Cambridge, England
Plugger of wire, typer of keyboard, imparter of Clue
         Life Is Short.          It's All Good.

More information about the redhat-list mailing list