linux - How to stop adding IP from EC2 to known_hosts for ssh?

09
2013-08
  • projectshave

    I start/stop lots of new instances as I'm learning to use Amazon EC2. Every temporary instance is added to the known_hosts file. Is this ever a problem for others who use EC2 a lot?

    I'd like to tell ssh to skip this step anytime I connect to amazonaws.com. Is there a way to do that in the config? I'm using Linux & openssh.

    • Answers
  • BillThor

    This is done to prevent Man in the Middle attacks. Disabling it would disable basic functionality of the ssh tools.

    You may want to keep a copy of your .ssh/known_hosts file without the entries and replace it when you are done.

  • 8088

    Try this:

    ssh -q -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -i $MYKEY $MYUSERNAME@$MYIP $MYCOMMAND

    You can also do this in your config file:

    Host *.amazonaws.com
  User root
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  LogLevel QUIET

    • Related Question

    security - How do I skip the "known_host" question the first time I connect to a machine via SSH with public/private keys?
  • Questioner

    How do I skip the "known_host" question the first time I connect to a machine via SSH with public/private keys?


    • Related Answers
  • Jason Axelson

    All the other current answers are missing the UserKnownHostsFile=/dev/null

    If you just want to do it once you can use:

    ssh -o StrictHostKeychecking=no hostname

    If you want to do it repeatedly you should add something like the following to your ~/.ssh/config

    Host 192.168.0.*
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

    Good explanation from: http://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html

  • chaos

    Turn StrictHostKeyChecking off via ssh_config or command line options.

  • Nelson 
    $ ssh -o StrictHostKeychecking=no hostname

    This will cause the check to be skipped and the remote host's key to automatically be added on first login. (There's also the option CheckHostIP, but it doesn't seem to actually disable the check for whether a key exists at all).

  • Tom Wijsman

    I think everyone missed the point. Sometimes you need to use ssh in a context where you know the host key will alwyays be changing such as installing new servers via serial console & ssh instead of standing in the cold server room at a crash cart. You re-use the same dhcp lan ip's all the time for different servers and different reboots/reloads of a given piece of hardware. The remote machine is utterly temporary and dynamically generated since it just booted up a live cd or an install media via pxe. You're not using ssh because it's "secure". You're using ssh because the installers don't offer the option to use telnet.

    The answers above are either completely impractical, or don't actually work. I have both in my /etc/ssh/ssh_config on the client machine: CheckHostIP no StrictHostKeyChecking no

    Yet it still adds the remote keys (automatically at least) to known_hosts and then refuses to connect to that same ip later when the ip gets re-used or I reinstall the box. I might reboot a given box into the install system or live/rescue system a dozen times in a day or in an hour testing different options or different distributions or versions etc, and every single reboot will generate a new host key since the "host" is all just a transient ramdisk, and every time I have to go manually edit the damned line out of the damned known_hosts file just to ssh back in... On one box I went so far as to link known_hosts to /dev/null so that it always automatically adds the key and never finds it already there mismatched. But I can't very well do THAT on most of my boxes that I would otherwise want to ssh from. What then.. a wrapper script that captures the ip and erases the matching host key automatically just before calling the real ssh binary? Le Suck.

    Damned annoying. I wish people (in this case openssh authors) would stop assuming they know what I should and shouldn't do without ever having met me or seen what exactly the job is I need done or in what context I'm doing it.

  • Tom Wijsman

    This took me a while to find. The most common usecase I've seen is when you've got ssh tunnels to remote networks. All the solutions here produced warnings which broke my scripts (nagios).

    The option I needed was:

    NoHostAuthenticationForLocalhost yes

    Which, as the name suggests also only applies to localhost.

  • endolith

    You can disable the checking, but of course that is less secure. In an ideal situation what you should do is get someone that already has access to the machine to grab it's public host key and tell ssh to use it. i.e.: take the output of:

    cat /etc/ssh/ssh_host_rsa_key.pub

    prepend the hostname of the machine, and add that line to the ~/.ssh/known_hosts file on your machine. You'll end up with something that looks like:

    myhost.example.com ssh-rsa AAAAB3Netc...

    Alternately, if you just want to grab the fingerprint of the key, which may be easier to transfer over a limited bandwidth channel (like a phone call), you can have your helper run:

    ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
  • Cliff Kennedy
    1. Add "StrictHostKeyChecking no" to /etc/ssh/ssh_config
    2. cd ~/.ssh
    3. rm known_hosts
    4. ln -s /dev/null known_hosts

    Bingo