linux - How to stop adding IP from EC2 to known_hosts for ssh?
2013-08
I start/stop lots of new instances as I'm learning to use Amazon EC2. Every temporary instance is added to the known_hosts file. Is this ever a problem for others who use EC2 a lot?
I'd like to tell ssh to skip this step anytime I connect to amazonaws.com. Is there a way to do that in the config? I'm using Linux & openssh.
This is done to prevent Man in the Middle attacks. Disabling it would disable basic functionality of the ssh tools.
You may want to keep a copy of your .ssh/known_hosts
file without the entries and replace it when you are done.
Try this:
ssh -q -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -i $MYKEY $MYUSERNAME@$MYIP $MYCOMMAND
You can also do this in your config file:
Host *.amazonaws.com User root StrictHostKeyChecking no UserKnownHostsFile /dev/null LogLevel QUIET
How do I skip the "known_host" question the first time I connect to a machine via SSH with public/private keys?
All the other current answers are missing the UserKnownHostsFile=/dev/null
If you just want to do it once you can use:
ssh -o StrictHostKeychecking=no hostname
If you want to do it repeatedly you should add something like the following to your ~/.ssh/config
Host 192.168.0.*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
Good explanation from: http://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html
Turn StrictHostKeyChecking
off via ssh_config
or command line options.
$ ssh -o StrictHostKeychecking=no hostname
This will cause the check to be skipped and the remote host's key to automatically be added on first login. (There's also the option CheckHostIP, but it doesn't seem to actually disable the check for whether a key exists at all).
I think everyone missed the point. Sometimes you need to use ssh in a context where you know the host key will alwyays be changing such as installing new servers via serial console & ssh instead of standing in the cold server room at a crash cart. You re-use the same dhcp lan ip's all the time for different servers and different reboots/reloads of a given piece of hardware. The remote machine is utterly temporary and dynamically generated since it just booted up a live cd or an install media via pxe. You're not using ssh because it's "secure". You're using ssh because the installers don't offer the option to use telnet.
The answers above are either completely impractical, or don't actually work. I have both in my /etc/ssh/ssh_config on the client machine: CheckHostIP no StrictHostKeyChecking no
Yet it still adds the remote keys (automatically at least) to known_hosts and then refuses to connect to that same ip later when the ip gets re-used or I reinstall the box. I might reboot a given box into the install system or live/rescue system a dozen times in a day or in an hour testing different options or different distributions or versions etc, and every single reboot will generate a new host key since the "host" is all just a transient ramdisk, and every time I have to go manually edit the damned line out of the damned known_hosts file just to ssh back in... On one box I went so far as to link known_hosts to /dev/null so that it always automatically adds the key and never finds it already there mismatched. But I can't very well do THAT on most of my boxes that I would otherwise want to ssh from. What then.. a wrapper script that captures the ip and erases the matching host key automatically just before calling the real ssh binary? Le Suck.
Damned annoying. I wish people (in this case openssh authors) would stop assuming they know what I should and shouldn't do without ever having met me or seen what exactly the job is I need done or in what context I'm doing it.
This took me a while to find. The most common usecase I've seen is when you've got ssh tunnels to remote networks. All the solutions here produced warnings which broke my scripts (nagios).
The option I needed was:
NoHostAuthenticationForLocalhost yes
Which, as the name suggests also only applies to localhost.
You can disable the checking, but of course that is less secure. In an ideal situation what you should do is get someone that already has access to the machine to grab it's public host key and tell ssh to use it. i.e.: take the output of:
cat /etc/ssh/ssh_host_rsa_key.pub
prepend the hostname of the machine, and add that line to the ~/.ssh/known_hosts file on your machine. You'll end up with something that looks like:
myhost.example.com ssh-rsa AAAAB3Netc...
Alternately, if you just want to grab the fingerprint of the key, which may be easier to transfer over a limited bandwidth channel (like a phone call), you can have your helper run:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
- Add "StrictHostKeyChecking no" to /etc/ssh/ssh_config
- cd ~/.ssh
- rm known_hosts
- ln -s /dev/null known_hosts
Bingo