Comments on: Disable SSH Known Host Checking http://cubiclegeneration.com/linux-help/disable-ssh-known-host-checking omgz cubicles Thu, 01 Dec 2011 13:35:06 +0000 hourly 1 http://wordpress.org/?v=3.3 By: bikerbreath http://cubiclegeneration.com/linux-help/disable-ssh-known-host-checking/comment-page-1#comment-5670 bikerbreath Sun, 10 Apr 2011 00:14:32 +0000 http://cubiclegeneration.com/?p=120#comment-5670 Thanks, Cody, good point... I am keeping all my eggs in one basket by using one set of keys for ssh. Yes, the underlying problem is NAT. I suppose the real solution is to wait for IPv6 to hit the streets here. Thanks, Cody, good point… I am keeping all my eggs in one basket by using one set of keys for ssh.

Yes, the underlying problem is NAT. I suppose the real solution is to wait for IPv6 to hit the streets here.

]]> By: Cody http://cubiclegeneration.com/linux-help/disable-ssh-known-host-checking/comment-page-1#comment-5439 Cody Fri, 25 Mar 2011 05:14:42 +0000 http://cubiclegeneration.com/?p=120#comment-5439 You shouldn't disable this globally but only client side as it opens you up for MITM attacks. Part of the protocol and usefulness of storing the fingerprints of each host is you can ensure that future connections are to the same host - encryption & authentication :). If you have to do this (behind NAT?) I'd suggest using a local SSH config instead (~/.ssh/config) and only disable the checks for known for known hosts. @BikerBreath That's not really a good idea. If one set of keys was compromised then every machine would be affected. It's *good* that SSH asks you by default if you're connecting to a new host. This allow you to establish the trust in the initial connection - once you do that you can ensure all subsequent connections to that host is 100% that host and 100% encrypted with no snooping. If the fingerprints don't match from your known one SSH will warn you possibly preventing you from being victim of a MITM attack. You shouldn’t disable this globally but only client side as it opens you up for MITM attacks. Part of the protocol and usefulness of storing the fingerprints of each host is you can ensure that future connections are to the same host – encryption & authentication :) .

If you have to do this (behind NAT?) I’d suggest using a local SSH config instead (~/.ssh/config) and only disable the checks for known for known hosts.

@BikerBreath

That’s not really a good idea. If one set of keys was compromised then every machine would be affected.

It’s *good* that SSH asks you by default if you’re connecting to a new host. This allow you to establish the trust in the initial connection – once you do that you can ensure all subsequent connections to that host is 100% that host and 100% encrypted with no snooping. If the fingerprints don’t match from your known one SSH will warn you possibly preventing you from being victim of a MITM attack.

]]> By: bikerbreath http://cubiclegeneration.com/linux-help/disable-ssh-known-host-checking/comment-page-1#comment-5438 bikerbreath Fri, 25 Mar 2011 03:58:21 +0000 http://cubiclegeneration.com/?p=120#comment-5438 Using openSSH, this also works -- but only if you have root access to the machines you are ssh-ing into: Copy one set of host ssh key files to all ssh servers behind the same ip address. These keys are in several files named similarly to /etc/ssh/ssh_host_dsa_key Some of those key files (the private keys) are only root-readable. Keep them that way. With the same host keys on all ssh servers, there will be no complaint about "host key has changed" from your ssh client, and you can keep strict host key checking enabled. Of course, I have no idea about cryptography, so I wouldn't know if the act of sharing your host keys across many disparate servers is a good idea. So far, so good, though. Can someone comment on security issues, or other issues that could result from sharing of these host keys? -- Kevin Using openSSH, this also works — but only if you have root access to the machines you are ssh-ing into:

Copy one set of host ssh key files to all ssh servers behind the same ip address. These keys are in several files named similarly to
/etc/ssh/ssh_host_dsa_key

Some of those key files (the private keys) are only root-readable. Keep them that way.

With the same host keys on all ssh servers, there will be no complaint about “host key has changed” from your ssh client, and you can keep strict host key checking enabled.

Of course, I have no idea about cryptography, so I wouldn’t know if the act of sharing your host keys across many disparate servers is a good idea. So far, so good, though.

Can someone comment on security issues, or other issues that could result from sharing of these host keys?

– Kevin

]]>