hostkey checking

Frank Cusack fcusack at fcusack.com
Tue Feb 19 19:57:23 EST 2002


On Tue, Feb 19, 2002 at 09:24:25AM +0100, Michal Svec wrote:
> On Tue, 19 Feb 2002, Frank Cusack wrote:
> > On Tue, Feb 19, 2002 at 08:32:34AM +0100, Michal Svec wrote:
> > > Is it somehow possible to disable the known_hosts checking for some hosts?
> > > The StrictHostKeyChecking affects only the asking about new computers, but
> > > doesn't affect the changed ones.
> > > 
> > > I need it for the test computers, which are reinstalled twice/hour and
> > > I really don't like editing .ssh/known_hosts each time :-(

Automate; that is what computers are best at. :-)

> I'd just need some DisableHostKeyChecking option so I can disable it
> completely for some hosts. I know this would be a security risk doing it
> in general, but on a per-host basis it could be acceptable.
> 
> Do you have any objections including such an option in the standard
> openssh? I think that having such possibility is a good thing in closed
> (temporary) environments where the security needs not to be so paranoid.

I'm not one of the openssh developers, but I think I can safely
say there's no way such an option is going to make it into openssh.
You're probably going to get a lot of flames just for suggesting it. :-)

> BTW could you please send me that patch?

There are other easy ways to do this.  eg, use a quick one-line perl script
to wipe the hostkeys out of .ssh/known_hosts:

    perl -i -ne 'print unless /^test/' $HOME/.ssh/known_hosts

or do something like

   alias testssh "ssh -o UserKnownHostsFiles=/dev/null"

or any number of things along those lines.

/fc



More information about the openssh-unix-dev mailing list