If I want to specify for LAN addresses that I don't want to deal with host keys, how do I do that? Understanding the risks, knowing almost everyone will say not to do this - it's a horrible idea, but deciding I want to do it anyway. Tired of having to remove entries from known_hosts with the multiple VM's I have that often change fingerprints, and am willing to live with the risks. /etc/ssh/ssh_config Host 192.168.*.* StrictHostKeyChecking no UserKnownHostsFile /dev/null or UserKnownHostsFile none Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I still get: The authenticity of host '<hostname> (192.168.2.2)' can't be established. ECDSA key fingerprint is SHA256:..... Are you sure you want to continue connecting (yes/no)?
Are you connecting by specifying "ssh HOSTNAME" instead of "ssh IP.IP.IP.IP"? If this is the case, then "Host 192.168.*.*" line never matches when you think it should.>From ssh_config manpage:"The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching)." b. On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at gmail.com> wrote:> If I want to specify for LAN addresses that I don't want to deal with host > keys, how do I do that? Understanding the risks, knowing almost everyone > will say not to do this - it's a horrible idea, but deciding I want to do > it anyway. Tired of having to remove entries from known_hosts with the > multiple VM's I have that often change fingerprints, and am willing to live > with the risks. > > /etc/ssh/ssh_config > Host 192.168.*.* > StrictHostKeyChecking no > UserKnownHostsFile /dev/null > > or > UserKnownHostsFile none > > Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I still > get: > The authenticity of host '<hostname> (192.168.2.2)' can't be established. > ECDSA key fingerprint is SHA256:..... > Are you sure you want to continue connecting (yes/no)? > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Wed, Aug 26, 2015 at 10:21:53PM +0000, Walter Carlson wrote:>If I want to specify for LAN addresses that I don't want to deal with host >keys, how do I do that? Understanding the risks, knowing almost everyone >will say not to do this - it's a horrible idea, but deciding I want to do >it anyway. Tired of having to remove entries from known_hosts with the >multiple VM's I have that often change fingerprints, and am willing to live >with the risks.Just use rsh? Mike Stone
(+cc list)
You could use something in the following manner:
Match originalhost * exec "/check/if/this/hostname/is/on/lan.sh"
...(lan-specific opts)...
But this one is a bit tricky to get right, as order of entries begins
to matter more than you would initially anticipate (or at least I
didn't). Also I am not using this mode with asterisk (*), but with
fixed hostnames (to determine ipv4-or-ipv6 connection without using
DNS) so it might not work at all.
b.
On 27 August 2015 at 01:25, Walter Carlson <wlcrls47 at gmail.com>
wrote:> You nailed it. I am using a single word hostname.
>
> Is there any way for me to specify the private IP space I'm using, so I
can
> use single word hostnames in the command line, without having to list each
> of them in ssh_config?
>
> Setting CanonicalizeHostname it looks like just uses the CanoncialDomains
> suffixes and CanonicalizePermittedCNAMEs rules, which I don't think I
can
> set up to canonicalize to IP address.
>
> I realize I could make the options I want globally set, but I wanted them
to
> be defaults for if I ever used openssh with outside-my-network systems.
>
> On Wed, Aug 26, 2015 at 10:53 PM, Bostjan Skufca <bostjan at a2o.si>
wrote:
>>
>> Are you connecting by specifying "ssh HOSTNAME" instead of
"ssh
>> IP.IP.IP.IP"?
>>
>> If this is the case, then "Host 192.168.*.*" line never
matches when
>> you think it should.
>>
>> From ssh_config manpage:
>> "The host is the hostname argument given on the command line (i.e.
the
>> name is not converted to a canonicalized host name before
matching)."
>>
>> b.
>>
>> On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at
gmail.com> wrote:
>> > If I want to specify for LAN addresses that I don't want to
deal with
>> > host
>> > keys, how do I do that? Understanding the risks, knowing almost
>> > everyone
>> > will say not to do this - it's a horrible idea, but deciding I
want to
>> > do
>> > it anyway. Tired of having to remove entries from known_hosts
with the
>> > multiple VM's I have that often change fingerprints, and am
willing to
>> > live
>> > with the risks.
>> >
>> > /etc/ssh/ssh_config
>> > Host 192.168.*.*
>> > StrictHostKeyChecking no
>> > UserKnownHostsFile /dev/null
>> >
>> > or
>> > UserKnownHostsFile none
>> >
>> > Isn't doing the trick. With no known_hosts file in ~/.ssh or
/etc, I
>> > still
>> > get:
>> > The authenticity of host '<hostname> (192.168.2.2)'
can't be
>> > established.
>> > ECDSA key fingerprint is SHA256:.....
>> > Are you sure you want to continue connecting (yes/no)?
>> > _______________________________________________
>> > openssh-unix-dev mailing list
>> > openssh-unix-dev at mindrot.org
>> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
Perfect, thanks. This winds up working for me (as far as I've tested so far.) Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'" StrictHostKeyChecking no UserKnownHostsFile none On Wed, Aug 26, 2015 at 11:47 PM, Bostjan Skufca <bostjan at a2o.si> wrote:> (+cc list) > > You could use something in the following manner: > > Match originalhost * exec "/check/if/this/hostname/is/on/lan.sh" > ...(lan-specific opts)... > > But this one is a bit tricky to get right, as order of entries begins > to matter more than you would initially anticipate (or at least I > didn't). Also I am not using this mode with asterisk (*), but with > fixed hostnames (to determine ipv4-or-ipv6 connection without using > DNS) so it might not work at all. > > b. > > > On 27 August 2015 at 01:25, Walter Carlson <wlcrls47 at gmail.com> wrote: > > You nailed it. I am using a single word hostname. > > > > Is there any way for me to specify the private IP space I'm using, so I > can > > use single word hostnames in the command line, without having to list > each > > of them in ssh_config? > > > > Setting CanonicalizeHostname it looks like just uses the CanoncialDomains > > suffixes and CanonicalizePermittedCNAMEs rules, which I don't think I can > > set up to canonicalize to IP address. > > > > I realize I could make the options I want globally set, but I wanted > them to > > be defaults for if I ever used openssh with outside-my-network systems. > > > > On Wed, Aug 26, 2015 at 10:53 PM, Bostjan Skufca <bostjan at a2o.si> wrote: > >> > >> Are you connecting by specifying "ssh HOSTNAME" instead of "ssh > >> IP.IP.IP.IP"? > >> > >> If this is the case, then "Host 192.168.*.*" line never matches when > >> you think it should. > >> > >> From ssh_config manpage: > >> "The host is the hostname argument given on the command line (i.e. the > >> name is not converted to a canonicalized host name before matching)." > >> > >> b. > >> > >> On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at gmail.com> wrote: > >> > If I want to specify for LAN addresses that I don't want to deal with > >> > host > >> > keys, how do I do that? Understanding the risks, knowing almost > >> > everyone > >> > will say not to do this - it's a horrible idea, but deciding I want to > >> > do > >> > it anyway. Tired of having to remove entries from known_hosts with > the > >> > multiple VM's I have that often change fingerprints, and am willing to > >> > live > >> > with the risks. > >> > > >> > /etc/ssh/ssh_config > >> > Host 192.168.*.* > >> > StrictHostKeyChecking no > >> > UserKnownHostsFile /dev/null > >> > > >> > or > >> > UserKnownHostsFile none > >> > > >> > Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I > >> > still > >> > get: > >> > The authenticity of host '<hostname> (192.168.2.2)' can't be > >> > established. > >> > ECDSA key fingerprint is SHA256:..... > >> > Are you sure you want to continue connecting (yes/no)? > >> > _______________________________________________ > >> > openssh-unix-dev mailing list > >> > openssh-unix-dev at mindrot.org > >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > >
On Thu, 27 Aug 2015, Bostjan Skufca wrote:> Are you connecting by specifying "ssh HOSTNAME" instead of "ssh IP.IP.IP.IP"? > > If this is the case, then "Host 192.168.*.*" line never matches when > you think it should. > > From ssh_config manpage: > "The host is the hostname argument given on the command line (i.e. the > name is not converted to a canonicalized host name before matching)."Yeah, it's unfortunately quite difficult to implement address matching in ~/.ssh/config because of the interplay of Host matching, Hostname directives, hostname canonicalisation*, proxy commands, hosts having multiple addresses, IPv4/IPv6 and when the addresses are actually resolved and available to the parser. I've not figured out a clean way to do it that isn't also complex and probably fragile to implement. -d * that was my contribution to the problem :/