Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence. However, I have a request: I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes.
Tobias Karlsson wrote:> Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence.Agreed!> However, I have a request: > > I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes.I've often thought about this too, however I can't bring myself to skipping hostkey checks all together, that's just crazy talk. One thing I thought might be reasonable was a .ssh/unknown_hosts file where you could list hostsnames or IPs or maybe even IP ranges that would not be strictly enforced. Maybe it would still cache the key and let you know its changed (useful for when someone reinstalls your lab system without telling you.) Of course, I haven't started working on this patch, so... -matt
--On June 20, 2008 11:04:18 AM -0700 Tobias Karlsson <jtkarlsson1973 at yahoo.com> wrote:> Let me start by saying that I think OpenSSH is a great tool and thanks to > everyone contributing to it's existence. > > However, I have a request: > > I'd like to have a flag that ignores the check of the host key. I'm fully > aware of that this opens up for man-in-the-middle attacks and that there > is a risk of lazy users mis-using this feature, but it would be very > useful for us using SSH in a lab environment where the host key of the > equipment frequently changes.StrictHostKeyChecking [yes|no|ask] defaults to ask. ssh -o 'StrictHostKeyChecking no' or in ~/.ssh/config/.> > > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
On Fri, Jun 20, 2008 at 7:04 PM, Tobias Karlsson <jtkarlsson1973 at yahoo.com> wrote:> Let me start by saying that I think OpenSSH is a great tool and thanks to everyone contributing to it's existence. > > However, I have a request: > > I'd like to have a flag that ignores the check of the host key. I'm fully aware of that this opens up for man-in-the-middle attacks and that there is a risk of lazy users mis-using this feature, but it would be very useful for us using SSH in a lab environment where the host key of the equipment frequently changes. >Try setting the following: UserKnownHostsFile /dev/null StrictHostKeyChecking no - Niall