hostkey checking

Michal Svec rebel at
Tue Feb 19 19:24:25 EST 2002


On Tue, 19 Feb 2002, Frank Cusack wrote:

> On Tue, Feb 19, 2002 at 08:32:34AM +0100, Michal Svec wrote:
> > Is it somehow possible to disable the known_hosts checking for some hosts?
> > The StrictHostKeyChecking affects only the asking about new computers, but
> > doesn't affect the changed ones.
> > 
> > I need it for the test computers, which are reinstalled twice/hour and
> > I really don't like editing .ssh/known_hosts each time :-(
> Why don't you save the host keys then?  Change your reinstall process
> to install the saved host key rather then generate a new one.

Sadly, I'm testing just the standard reinstall process for which I can't
do such changes (I'd use it otherwise).

> But anyway, StrictHostKeyChecking does affect changed host keys.  You can
> easily set it to 'no' for only certain hosts.  Even with 'no', certain
> types of authentication will not be allowed, that's an easy behaviour
> to change (1 or 2 line patch), but I would recommend you install known
> host keys instead.

I'd just need some DisableHostKeyChecking option so I can disable it
completely for some hosts. I know this would be a security risk doing it
in general, but on a per-host basis it could be acceptable.

Do you have any objections including such an option in the standard
openssh? I think that having such possibility is a good thing in closed
(temporary) environments where the security needs not to be so paranoid.


BTW could you please send me that patch?

More information about the openssh-unix-dev mailing list