StrictHostKeyChecking is being ignored

Asif Iqbal vadud3 at gmail.com
Tue Feb 17 12:18:20 EST 2009 

On Mon, Feb 16, 2009 at 4:16 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 16 Feb 2009, Asif Iqbal wrote:
>
>>  ssh -oStrictHostKeyChecking=no scrub
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>> It is also possible that the RSA host key has just been changed.
>> The fingerprint for the RSA key sent by the remote host is
>> 4b:c2:f2:a1:ee:f6:b2:01:e1:45:5a:6c:85:d4:ee:94.
>> Please contact your system administrator.
>> Add correct host key in /home/iqbala/.ssh/known_hosts to get rid of
>> this message.
>> Offending key in /home/iqbala/.ssh/known_hosts:93
>> Password authentication is disabled to avoid man-in-the-middle attacks.
>> Keyboard-interactive authentication is disabled to avoid
>> man-in-the-middle attacks.
>> Permission denied
>> (gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive).
>>
>> Why is it ignoring `StrictHostKeyChecking=no' ?
>
> It isn't ignoring it, it just doesn't do what you think it means.
> StrictHostKeyChecking=no still checks existing host keys and will disable
> "unsafe" authentication mechanisms if the hostkey doesn't match.
>
> StrictHostKeyChecking is mainly about relaxing the *acceptance* of
> previously unseen host keys.
>
> If you really don't care about the host key of your target, then try:
> ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no yourhost
> (or better yet, put an alias in .ssh/config).
>

I noticed some difference in Sun's SSH. I am planning to create a
ticket with SUN to fix this

SUN's SSH does not fail if set the stricthostkeychecking to no
(iqbala)@scrub:~$ uname -a
SunOS scrub 5.11 snv_106 i86pc i386 i86pc
(iqbala)@scrub:~$ /usr/bin/ssh -V
Sun_SSH_1.3, SSH protocols 1.5/2.0, OpenSSL 0x0090801f
(iqbala)@scrub:~$ /usr/bin/ssh -oStrictHostKeyChecking=no 0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
bf:7a:b7:e6:35:69:02:69:32:df:38:4e:fd:50:a9:d1.
Please contact your system administrator.
Add correct host key in /export/home/iqbala/.ssh/known_hosts to get
rid of this message.
Offending key in /export/home/iqbala/.ssh/known_hosts:92

Password authentication is disabled to avoid man-in-the-middle attacks.
Password:

It looks like it does not disable keyboard interactive authentication
like OpenSSH does




> -d
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

More information about the openssh-unix-dev mailing list