If I want to specify for LAN addresses that I don't want to deal with host keys, how do I do that? Understanding the risks, knowing almost everyone will say not to do this - it's a horrible idea, but deciding I want to do it anyway. Tired of having to remove entries from known_hosts with the multiple VM's I have that often change fingerprints, and am willing to live with the risks. /etc/ssh/ssh_config Host 192.168.*.* StrictHostKeyChecking no UserKnownHostsFile /dev/null or UserKnownHostsFile none Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I still get: The authenticity of host '<hostname> (192.168.2.2)' can't be established. ECDSA key fingerprint is SHA256:..... Are you sure you want to continue connecting (yes/no)?
Are you connecting by specifying "ssh HOSTNAME" instead of "ssh IP.IP.IP.IP"? If this is the case, then "Host 192.168.*.*" line never matches when you think it should.>From ssh_config manpage:"The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching)." b. On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at gmail.com> wrote:> If I want to specify for LAN addresses that I don't want to deal with host > keys, how do I do that? Understanding the risks, knowing almost everyone > will say not to do this - it's a horrible idea, but deciding I want to do > it anyway. Tired of having to remove entries from known_hosts with the > multiple VM's I have that often change fingerprints, and am willing to live > with the risks. > > /etc/ssh/ssh_config > Host 192.168.*.* > StrictHostKeyChecking no > UserKnownHostsFile /dev/null > > or > UserKnownHostsFile none > > Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I still > get: > The authenticity of host '<hostname> (192.168.2.2)' can't be established. > ECDSA key fingerprint is SHA256:..... > Are you sure you want to continue connecting (yes/no)? > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Wed, Aug 26, 2015 at 10:21:53PM +0000, Walter Carlson wrote:>If I want to specify for LAN addresses that I don't want to deal with host >keys, how do I do that? Understanding the risks, knowing almost everyone >will say not to do this - it's a horrible idea, but deciding I want to do >it anyway. Tired of having to remove entries from known_hosts with the >multiple VM's I have that often change fingerprints, and am willing to live >with the risks.Just use rsh? Mike Stone
(+cc list) You could use something in the following manner: Match originalhost * exec "/check/if/this/hostname/is/on/lan.sh" ...(lan-specific opts)... But this one is a bit tricky to get right, as order of entries begins to matter more than you would initially anticipate (or at least I didn't). Also I am not using this mode with asterisk (*), but with fixed hostnames (to determine ipv4-or-ipv6 connection without using DNS) so it might not work at all. b. On 27 August 2015 at 01:25, Walter Carlson <wlcrls47 at gmail.com> wrote:> You nailed it. I am using a single word hostname. > > Is there any way for me to specify the private IP space I'm using, so I can > use single word hostnames in the command line, without having to list each > of them in ssh_config? > > Setting CanonicalizeHostname it looks like just uses the CanoncialDomains > suffixes and CanonicalizePermittedCNAMEs rules, which I don't think I can > set up to canonicalize to IP address. > > I realize I could make the options I want globally set, but I wanted them to > be defaults for if I ever used openssh with outside-my-network systems. > > On Wed, Aug 26, 2015 at 10:53 PM, Bostjan Skufca <bostjan at a2o.si> wrote: >> >> Are you connecting by specifying "ssh HOSTNAME" instead of "ssh >> IP.IP.IP.IP"? >> >> If this is the case, then "Host 192.168.*.*" line never matches when >> you think it should. >> >> From ssh_config manpage: >> "The host is the hostname argument given on the command line (i.e. the >> name is not converted to a canonicalized host name before matching)." >> >> b. >> >> On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at gmail.com> wrote: >> > If I want to specify for LAN addresses that I don't want to deal with >> > host >> > keys, how do I do that? Understanding the risks, knowing almost >> > everyone >> > will say not to do this - it's a horrible idea, but deciding I want to >> > do >> > it anyway. Tired of having to remove entries from known_hosts with the >> > multiple VM's I have that often change fingerprints, and am willing to >> > live >> > with the risks. >> > >> > /etc/ssh/ssh_config >> > Host 192.168.*.* >> > StrictHostKeyChecking no >> > UserKnownHostsFile /dev/null >> > >> > or >> > UserKnownHostsFile none >> > >> > Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I >> > still >> > get: >> > The authenticity of host '<hostname> (192.168.2.2)' can't be >> > established. >> > ECDSA key fingerprint is SHA256:..... >> > Are you sure you want to continue connecting (yes/no)? >> > _______________________________________________ >> > openssh-unix-dev mailing list >> > openssh-unix-dev at mindrot.org >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >
Perfect, thanks. This winds up working for me (as far as I've tested so far.) Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'" StrictHostKeyChecking no UserKnownHostsFile none On Wed, Aug 26, 2015 at 11:47 PM, Bostjan Skufca <bostjan at a2o.si> wrote:> (+cc list) > > You could use something in the following manner: > > Match originalhost * exec "/check/if/this/hostname/is/on/lan.sh" > ...(lan-specific opts)... > > But this one is a bit tricky to get right, as order of entries begins > to matter more than you would initially anticipate (or at least I > didn't). Also I am not using this mode with asterisk (*), but with > fixed hostnames (to determine ipv4-or-ipv6 connection without using > DNS) so it might not work at all. > > b. > > > On 27 August 2015 at 01:25, Walter Carlson <wlcrls47 at gmail.com> wrote: > > You nailed it. I am using a single word hostname. > > > > Is there any way for me to specify the private IP space I'm using, so I > can > > use single word hostnames in the command line, without having to list > each > > of them in ssh_config? > > > > Setting CanonicalizeHostname it looks like just uses the CanoncialDomains > > suffixes and CanonicalizePermittedCNAMEs rules, which I don't think I can > > set up to canonicalize to IP address. > > > > I realize I could make the options I want globally set, but I wanted > them to > > be defaults for if I ever used openssh with outside-my-network systems. > > > > On Wed, Aug 26, 2015 at 10:53 PM, Bostjan Skufca <bostjan at a2o.si> wrote: > >> > >> Are you connecting by specifying "ssh HOSTNAME" instead of "ssh > >> IP.IP.IP.IP"? > >> > >> If this is the case, then "Host 192.168.*.*" line never matches when > >> you think it should. > >> > >> From ssh_config manpage: > >> "The host is the hostname argument given on the command line (i.e. the > >> name is not converted to a canonicalized host name before matching)." > >> > >> b. > >> > >> On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at gmail.com> wrote: > >> > If I want to specify for LAN addresses that I don't want to deal with > >> > host > >> > keys, how do I do that? Understanding the risks, knowing almost > >> > everyone > >> > will say not to do this - it's a horrible idea, but deciding I want to > >> > do > >> > it anyway. Tired of having to remove entries from known_hosts with > the > >> > multiple VM's I have that often change fingerprints, and am willing to > >> > live > >> > with the risks. > >> > > >> > /etc/ssh/ssh_config > >> > Host 192.168.*.* > >> > StrictHostKeyChecking no > >> > UserKnownHostsFile /dev/null > >> > > >> > or > >> > UserKnownHostsFile none > >> > > >> > Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I > >> > still > >> > get: > >> > The authenticity of host '<hostname> (192.168.2.2)' can't be > >> > established. > >> > ECDSA key fingerprint is SHA256:..... > >> > Are you sure you want to continue connecting (yes/no)? > >> > _______________________________________________ > >> > openssh-unix-dev mailing list > >> > openssh-unix-dev at mindrot.org > >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > >
On Thu, 27 Aug 2015, Bostjan Skufca wrote:> Are you connecting by specifying "ssh HOSTNAME" instead of "ssh IP.IP.IP.IP"? > > If this is the case, then "Host 192.168.*.*" line never matches when > you think it should. > > From ssh_config manpage: > "The host is the hostname argument given on the command line (i.e. the > name is not converted to a canonicalized host name before matching)."Yeah, it's unfortunately quite difficult to implement address matching in ~/.ssh/config because of the interplay of Host matching, Hostname directives, hostname canonicalisation*, proxy commands, hosts having multiple addresses, IPv4/IPv6 and when the addresses are actually resolved and available to the parser. I've not figured out a clean way to do it that isn't also complex and probably fragile to implement. -d * that was my contribution to the problem :/