John Summerfield
2002-Apr-10 22:23 UTC
I need to be able to turn off host checking entirely
I have a small LAN. The entire system is within my view - all the hosts, the switch and the wire. If someone is in a a position to do a "man in the middle" attack, there's no need - they already have me. Over the other side of the room, and beside my desk, I have test systems. I use disk caddies (see www.vipower.com for examples) and can switch operating systems in about the time it takes to cycle power; I pull one drive out (with power off), push in another and reboot. One of the things the test system's used for is kickstart installing Red Hat Linux, and a test can take less than 20 minutes. Then there's my "production" system for the same box, and Windows NT..... Actually, NT's not involved in the problem. I'm getting thoroughly sick of the checking the ssh command does, and I've turned off as much as I can figure out, but I still get this: [summer at numbat summer]$ ssh possum @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 22:dc:6b:57:31:b3:0a:3c:07:7e:8d:60:1a:c0:b7:5f. Please contact your system administrator. Add correct host key in /home/summer/.ssh/known_hosts to get rid of this message. Offending key in /home/summer/.ssh/known_hosts:2 Password authentication is disabled to avoid man-in-the-middle attacks. X11 forwarding is disabled to avoid man-in-the-middle attacks. Last login: Thu Apr 11 06:06:30 2002 from numbat.os2.ami.com.au [summer at possum summer]$ Now, I suppose I can live with the messages (but I'd rather not). What I really need to have the connexion to the machine to 'just work.' I want X11 forwarding to work. Just like this: [summer at numbat summer]$ ssh dugite Last login: Thu Apr 11 05:04:54 2002 from numbat.os2.ami.com.au [summer at dugite summer]$ I appreciate there are several crude hacks I can use. Like supplying the host key when I install on possum, but that seems to me even worse. -- Cheers John Summerfield Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ Note: mail delivered to me is deemed to be intended for me, for my disposition. =============================If you don't like being told you're wrong, be right!
why don't you unify all your keys over all those disk images? Or switch to rsh. No reason to be deploying encyption on a closed lan. - Ben On Thu, 11 Apr 2002, John Summerfield wrote:> > I have a small LAN. The entire system is within my view - all the > hosts, the switch and the wire. If someone is in a a position to do a > "man in the middle" attack, there's no need - they already have me. > > Over the other side of the room, and beside my desk, I have test > systems. I use disk caddies (see www.vipower.com for examples) and can > switch operating systems in about the time it takes to cycle power; I > pull one drive out (with power off), push in another and reboot. > > One of the things the test system's used for is kickstart installing > Red Hat Linux, and a test can take less than 20 minutes. > > Then there's my "production" system for the same box, and Windows > NT..... > > Actually, NT's not involved in the problem. > > > I'm getting thoroughly sick of the checking the ssh command does, and > I've turned off as much as I can figure out, but I still get this: > [summer at numbat summer]$ ssh possum > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > It is also possible that the RSA host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 22:dc:6b:57:31:b3:0a:3c:07:7e:8d:60:1a:c0:b7:5f. > Please contact your system administrator. > Add correct host key in /home/summer/.ssh/known_hosts to get rid of > this message. > Offending key in /home/summer/.ssh/known_hosts:2 > Password authentication is disabled to avoid man-in-the-middle attacks. > X11 forwarding is disabled to avoid man-in-the-middle attacks. > Last login: Thu Apr 11 06:06:30 2002 from numbat.os2.ami.com.au > [summer at possum summer]$ > > > > Now, I suppose I can live with the messages (but I'd rather not). What > I really need to have the connexion to the machine to 'just work.' > > I want X11 forwarding to work. > Just like this: > [summer at numbat summer]$ ssh dugite > Last login: Thu Apr 11 05:04:54 2002 from numbat.os2.ami.com.au > [summer at dugite summer]$ > > > I appreciate there are several crude hacks I can use. Like supplying > the host key when I install on possum, but that seems to me even worse. > > > > -- > Cheers > John Summerfield > > Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ > > Note: mail delivered to me is deemed to be intended for me, for my > disposition. > > =============================> If you don't like being told you're wrong, > be right! > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
John Summerfield wrote:> I'm getting thoroughly sick of the checking the ssh command does, and > I've turned off as much as I can figure out, but I still get this: > [summer at numbat summer]$ ssh possum > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!How about: $ cat .ssh/config Host possum-linux1 HostKeyAlias possum-linux1 Host possum-linux2 HostKeyAlias possum-linux2 or: $ ln -s /dev/null .ssh/known_hosts -Daz.