[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: completely suppress remote host identification checking for trusted local servers



On Fri, 27 Aug 2010, Rahul Nabar wrote:

Whenever I re-install a server ssh issues a warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f1:7c:70:31:8f:2a:da:eb:21:37:e9:1a:6c:3d:d4:7a.
Please contact your system administrator.
Add correct host key in /home/foo/.ssh/known_hosts to get rid of this message.
Offending key in /home/foo/.ssh/known_hosts:218
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid
man-in-the-middle attacks.

But these are local compute-nodes in a cluster so that warning is
quite superfluous. In order to suppress this ssh warning I trick ssh
by this hack:

cat ~foo/.ssh/config
host local_server_name*
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null

But I still get ssh going through the unnecessary step where it still
adds to the non-exisitant known_hosts file.

Warning: Permanently added 'eu003,10.0.0.3' (RSA) to the list of known hosts.
Warning: Permanently added 'eu004,10.0.0.4' (RSA) to the list of known hosts.
[snip]

This does add an overhead at startup of jobs that ssh to multiple
servers. Is there a better way out to completely suppress remote host
identification checks?

Yes. Once you've built a server, zip up the files /etc/ssh/ssh_host_* and copy them off to your build server with the name of the server as the zip's file name. When you rebuild, make part of the post install process copying the zip back and unzipping it in the freshly created /etc/ssh/. That way that server will always have the same host keys.

Ben
--
Unix Support, MISD, University of Cambridge, England
Plugger of wire, typer of keyboard, imparter of Clue
        Life Is Short.          It's All Good.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]