How to disable strict host key checking in ssh?

  • I would like to disable strict host key checking in ssh for Ubuntu 11.04. How to do it?

    Hi karthick87, I hope you understand the security implications of making that change ;)

    It should be noted however, that you **want** to know if a host key has *changed*. That is a big red flag that someone may be spoofing the host. So UserKnownHostFile /dev/null is a really bad idea.

    SSH is used not only for remote connections, you know. All hosts I'm connecting to are in heap on my table and share the same IP, so I always have the new host warning.

    If you just want to remove the message for a particular host, delete the corresponding line ~/.ssh/known_hosts.

    If you just need to do a one-time connect without errors: `ssh -o UserKnownHostsFile=/dev/null`

    Thanks @odinho-Velmont, I needed to do this when reverse tunneling from several different hosts to the same local port (one at a time, of course). Without this, the server complains when connecting using the same credentials to the different servers.

    @odinho-Velmont nice one, thanks.

  • Caesium

    Caesium Correct answer

    9 years ago

    In your ~/.ssh/config (if this file doesn't exist, just create it):

    Host *
        StrictHostKeyChecking no
    

    This will turn it off for all hosts you connect to. You can replace the * with a hostname pattern if you only want it to apply to some hosts.

    Make sure the permissions on the file restrict access to yourself only:

    sudo chmod 400 ~/.ssh/config
    

    There is no file named `config` in my home directory.

    Make one - the entire contents of the file are in my quote above. Note it's in the `.ssh` subdirectory of your homedir as well.

    Is the indentation required? My entries look like blocks divided by a empty line.

    This is unwise in many cases, often you just want to disable it once: `ssh -o UserKnownHostsFile=/dev/null`

    mkdir -p ~/.ssh && echo "Host *" > ~/.ssh/config && echo " StrictHostKeyChecking no" >> ~/.ssh/config

    Awesome, I was stuck in fixing ~/.ssh/known_hosts but it never existed. Luckily I found this thread and can log in now. I'm just wondering how can i log in to other machine but not just one specific type of machine which i launched by shared ami from another aws account. Thanks

    I think chmod 600 is enough

  • Rather than adding it to your ~/.ssh/config file for all Host *, it would be a safer to specify a particular host.

    You can also pass a parameter on the command-line like this:

    ssh -o StrictHostKeyChecking=no yourHardenedHost.com
    

    Note that you generally only need to do this once per host since it says this the first time: `Warning: Permanently added 'frxxx.blaps.net,10.11.12.13' (RSA) to the list of known hosts.`

    That won't work. It should be `ssh -o UserKnownHostsFile=/dev/null` instead.

    @qwertzguy It does work. Your option will make it so that the host key is lost each time, which is useful and more secure, but not what the question asked for.

    @qwertzguy Could you add this as an answer, yours is really the best for quick'n'dirty "just connect I know what I'm doing"? Didn't wanna ninja-steal your answer.

    @odinho-velmont done

    use both works for me, ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

    Fun fact: When using SFTP, using `-o whatever` precludes the use of `[email protected]` notation for determining which user to connect as.

    I don't use `sftp` much, but it worked same way for me on MacOS, Debian, and FreeBSD when I tried them today. What distro are you using?

    I wish there was a way to add multiple host keys for a single host - if we have multiple fixed hosts behind a load balancer, I know which hosts to expect, but I can't ssh directly to said hosts. For now I do the above to disable strict host checking...

  • It's worth pointing out that setting in your ssh config:

    StrictHostKeyChecking no
    

    Will mean hostkeys are still added to .ssh/known_hosts - you just won't be prompted about whether you trust them, but should hosts change I'm willing to bet you'll get the big warning about it. You can work around this problem by adding another parameter:

    UserKnownHostsFile /dev/null
    

    This will add all these "newly discovered" hosts to the trash bin. If a host key changes, no troubles.

    I would be remiss not to mention that circumventing these warnings on hostkeys has obvious security ramifications - you should be careful that you're doing it for the right reasons & that what you're connecting to actually is what you mean to connect to and not a malicious host, since at this point you've eroded a major part of the security in ssh as a solution.

    For example if you were to try and set this with the commandline, the full command would be:

    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected]
    

    That would be silly though - given that the working examples above for ssh config files is likely to make more sense in all cases.

    You're correct, you do get the big warning

    I think this is the right answer. This works well for connecting to hosts on a private local network.

    Could be convenient to have an alias to `ssh -o StrictHostKeyChecking=no -o UserKnownHostFiles=/dev/null [email protected]`. In my case I use `issh` to connect to hosts where I know the host key changes.

    @ecerulm - just a small typo: it's `UserKnownHostsFile` not `UserKnownHostFiles`.

    like a Gem, finally someone understands the generosity in completion and conclusion

    When you are running this in a script in a Docker container, there is never a known_hosts file. You don't want a prompt because its unattended. The whole file system gets dumped at the end of the docker run. So the security issues don't apply.

  • FYI. I prefer to disable host checking just when using cssh.

    alias cssh='ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
    

    `cssh` or `ssh`?

    Am I wrong, or is the second `-o` unnecessary?

    `alias relay='ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected] -p 2222'` work for me

  • If you want to disable on a one time basis use:

    ssh -o UserKnownHostsFile=/dev/null
    

    That will work also if the host key changes and will make sure not to save the key as trusted for added security.

  • From what it sounds like,

    NoHostAuthenticationForLocalhost yes
    

    may be good enough, for you. AND you'd still be able to maintain that semblance of security.

  • https://askubuntu.com/a/87452/129227 suggest to modify the config file which helps. But instead of opening things up for any host I wanted this to be done per host. The script below helps automating the process:

    example call

    ./sshcheck somedomain site1 site2 site3

    sshcheck script

    #!/bin/bash
    # WF 2017-08-25
    # check ssh access to bitplan servers
    
    #ansi colors
    #http://www.csc.uvic.ca/~sae/seng265/fall04/tips/s265s047-tips/bash-using-colors.html
    blue='\033[0;34m'  
    red='\033[0;31m'  
    green='\033[0;32m' # '\e[1;32m' is too bright for white bg.
    endColor='\033[0m'
    
    #
    # a colored message 
    #   params:
    #     1: l_color - the color of the message
    #     2: l_msg - the message to display
    #
    color_msg() {
      local l_color="$1"
      local l_msg="$2"
      echo -e "${l_color}$l_msg${endColor}"
    }
    
    #
    # error
    #
    #   show an error message and exit
    #
    #   params:
    #     1: l_msg - the message to display
    error() {
      local l_msg="$1"
      # use ansi red for error
      color_msg $red "Error: $l_msg" 1>&2
      exit 1
    }
    
    #
    # show the usage
    #
    usage() {
      echo "usage: $0 domain sites"
      exit 1 
    }
    
    #
    # check the given server
    #
    checkserver() {
      local l_server="$1"
      grep $l_server $sconfig > /dev/null
      if [ $? -eq 1 ]
      then
        color_msg $blue "adding $l_server to $sconfig"
        today=$(date "+%Y-%m-%d")
        echo "# added $today by $0"  >> $sconfig
        echo "Host $l_server" >> $sconfig
        echo "   StrictHostKeyChecking no" >> $sconfig
        echo "   userKnownHostsFile=/dev/null" >> $sconfig
        echo "" >> $sconfig
      else
        color_msg $green "$l_server found in $sconfig"
      fi
      ssh -q $l_server id > /dev/null
      if [ $? -eq 0 ]
      then
        color_msg $green "$l_server accessible via ssh"
      else
        color_msg $red "ssh to $l_server failed" 
        color_msg $blue "shall I ssh-copy-id credentials to $l_server?"
        read answer
        case $answer in
          y|yes) ssh-copy-id $l_server
        esac
      fi
    }
    
    #
    # check all servers
    #
    checkservers() {
    me=$(hostname -f)
    for server in $(echo $* | sort)
    do
      os=`uname`
      case $os in
       # Mac OS X
       Darwin*)
         pingoption=" -t1";;
        *) ;;
      esac
    
      pingresult=$(ping $pingoption -i0.2 -c1 $server)
      echo $pingresult | grep 100 > /dev/null
      if [ $? -eq 1 ]
      then 
        checkserver $server
        checkserver $server.$domain
      else
        color_msg $red "ping to $server failed"
      fi
    done
    }
    
    #
    # check configuration
    #
    checkconfig() {
    #https://askubuntu.com/questions/87449/how-to-disable-strict-host-key-checking-in-ssh
      if [ -f $sconfig ]
      then
        color_msg $green "$sconfig exists"
        ls -l $sconfig
      fi
    }
    
    sconfig=~/.ssh/config
    
    case  $# in
      0) usage ;;
      1) usage ;;
      *) 
        domain=$1 
        shift 
        color_msg $blue "checking ssh configuration for domain $domain sites $*"
        checkconfig
        checkservers $* 
        ;;
    esac
    

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM