topic Re: Disable ssh host key in Operating System - Linux

Disable ssh host key

WW288996 — Mon, 08 Mar 2010 06:35:13 GMT

Hi All,

I want to disable ssh authentication message.
If I do ssh to the 10.58.131.51 machine, I have to type "yes" first time before giving password.

How can I avoid this?

I have already configured passwordless ssh authentication.

How can I avoid the following message ?

The authenticity of host '10.58.131.51 (10.58.131.51)' can't be established.
RSA key fingerprint is 92:01:d7:e4:b0:69:8a:21:bd:ee:10:a2:39:35:7e:46.
Are you sure you want to continue connecting (yes/no)?

Please help me in this regard. I am using RHEL 5.4 on an HP hardware and open ssh version is ssh 4.3p.

Re: Disable ssh host key

Modris Bremze — Mon, 08 Mar 2010 07:08:45 GMT

When connecting for the first time, the new host key is not yet in the local ~/.ssh/known_hosts file. To get rid of the message You must somehow get the host key in that file before connecting. The "Tips" section at http://www.securityfocus.com/infocus/1806 might have something useful. HTH.

Re: Disable ssh host key

WW288996 — Mon, 08 Mar 2010 07:28:52 GMT

our scripts want to avoid this message.

Re: Disable ssh host key

Matti_Kurkela — Mon, 08 Mar 2010 07:31:27 GMT

Ideally, you should gather the host keys of all your SSH servers and store them to /etc/ssh/ssh_known_hosts on all hosts used as SSH clients. This way you will be both protected from man-in-the-middle attacks and offering maximum user convenience.

The OpenSSH suite includes a ssh-keyscan tool to create this file quickly (run "man ssh-keyscan" to see documentation).

If /etc/ssh/ssh_known_hosts does not exist or does not contain the public hostkey of the host you're connecting to, the SSH client will show you that message, then attempt to save the host key to $HOME/.ssh/known_hosts. If $HOME/.ssh is not writable by the user, this step is simply skipped and the message will be displayed again in the future.

(NOTE: $HOME/.ssh should normally be owned by the user that's using it, and have drwx------ permissions. The directory must be protected from write access of other users, or else SSH will not use any files found in it.)

If you really cannot have neither a centralised /etc/ssh/ssh_known_hosts file for all users nor a regular per-user $HOME/.ssh/known_hosts file, it is possible to set the StrictHostKeyChecking option to "no", although this is definitely not recommended because that configuration will allow an attacker to set up a proxy between you and the host you're connecting to without your noticing. Such a proxy would see all your SSH traffic unencrypted (it would decrypt everything it receives, then re-encrypt it for the real connection target).

This option can be specified in the command line as "ssh -o StrictHostKeyChecking=no", or it can be configured in $HOME/.ssh/config or /etc/ssh/ssh_config as:

StrictHostKeyChecking no

MK

Re: Disable ssh host key

Modris Bremze — Mon, 08 Mar 2010 09:00:24 GMT

It really doesn't matter - if ssh is not asking You for confirmation, it will not ask "the script" and vice versa.

Re: Disable ssh host key

Ralph Grothe — Mon, 08 Mar 2010 09:56:45 GMT

Hi,

I haven't read the through the replies already given, so the answer most likely has been given already.

Anyway, the reliance on your ssh client's security measures is totally up to the user's discretion, and can mostly be (deliberately) undermined (provided the remote ssh server permits this).

E.g. here's what I often do when I have tunneled some port by local or remote port forwarding in advance.

$ ssh -o userknownhostsfile=/dev/null -o stricthostkeychecking=no -p 2222 localhost ...

If you want to supress any warning messages informing you that the host key has been added to user's known hosts file (which of course is /dev/null) simply add the -q option to the command.

If you feel this is too much typing then edit your ~/.ssh/config file and put in some stanza like this (indentations and case are irrelevant):

Host inconsiderate
HostName 1.2.3.4
User somebody
UserKnownHostsFile /dev/null
StrictHostkeyChecking no
LogLevel quiet

Then you can simply connect by

$ ssh inconsiderate

Re: Disable ssh host key

Viktor Balogh — Tue, 09 Mar 2010 14:05:16 GMT

Hi,

if you want to use ssh from within a script, use this:

# ssh -o BatchMode yes

"The option BatchMode specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and dont want to supply the password. e.g. Scripts that use the scp command to make backups over the network. "

AFAIK in BatchMode that question won't appear, and the machine will be skipped.

Regards,
Viktor