openssh bugs - Jun 2010 - [Bug 1788] New: simple option to ignore known_hosts

https://bugzilla.mindrot.org/show_bug.cgi?id=1788

           Summary: simple option to ignore known_hosts
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: avalon at friendofpooh.com


Hello,

when one works with dynamic provisioning of machines, known_hosts
checks stop being an effective security measure and are PITA to deal
with.

For exmaple when one creates lots of Amazon EC2 cloud machines and
connects to them, one gets asked for confirmations as well known_hosts
get bloated with useless records. 

Could you implement a simple option to ignore known_host checks and
also not record fingerprints in known_hosts?

Currently my workaround is like:
Host *.amazonaws.com
   HashKnownHosts no
   CheckHostIP no
   StrictHostKeyChecking no
   UserKnownHostsFile /tmp/somefile

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1788

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  ---
You can already do this with "UserKnownhostsFile /dev/null" but that
doesn't make it a good idea as you lose all MITM protection.

If you have a pre-existing trust relationship with the provisioner then
they could create a certified host key (see SSH_KNOWN_HOSTS_FORMAT in
sshd(8) and ssh-keygen(1))

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1788

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:56
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.