StrictHostKeyChecking is being ignored
Damien Miller
djm at mindrot.org
Tue Feb 17 08:16:06 EST 2009
On Mon, 16 Feb 2009, Asif Iqbal wrote:
> ssh -oStrictHostKeyChecking=no scrub
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 4b:c2:f2:a1:ee:f6:b2:01:e1:45:5a:6c:85:d4:ee:94.
> Please contact your system administrator.
> Add correct host key in /home/iqbala/.ssh/known_hosts to get rid of
> this message.
> Offending key in /home/iqbala/.ssh/known_hosts:93
> Password authentication is disabled to avoid man-in-the-middle attacks.
> Keyboard-interactive authentication is disabled to avoid
> man-in-the-middle attacks.
> Permission denied
> (gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive).
>
> Why is it ignoring `StrictHostKeyChecking=no' ?
It isn't ignoring it, it just doesn't do what you think it means.
StrictHostKeyChecking=no still checks existing host keys and will disable
"unsafe" authentication mechanisms if the hostkey doesn't match.
StrictHostKeyChecking is mainly about relaxing the *acceptance* of
previously unseen host keys.
If you really don't care about the host key of your target, then try:
ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no yourhost
(or better yet, put an alias in .ssh/config).
-d
More information about the openssh-unix-dev
mailing list