Disabling host key checking on LAN

Bostjan Skufca bostjan at a2o.si
Thu Aug 27 09:47:36 AEST 2015 

(+cc list)

You could use something in the following manner:

Match originalhost *      exec "/check/if/this/hostname/is/on/lan.sh"
    ...(lan-specific opts)...

But this one is a bit tricky to get right, as order of entries begins
to matter more than you would initially anticipate (or at least I
didn't). Also I am not using this mode with asterisk (*), but with
fixed hostnames (to determine ipv4-or-ipv6 connection without using
DNS) so it might not work at all.

b.


On 27 August 2015 at 01:25, Walter Carlson <wlcrls47 at gmail.com> wrote:
> You nailed it.  I am using a single word hostname.
>
> Is there any way for me to specify the private IP space I'm using, so I can
> use single word hostnames in the command line, without having to list each
> of them in ssh_config?
>
> Setting CanonicalizeHostname it looks like just uses the CanoncialDomains
> suffixes and CanonicalizePermittedCNAMEs rules, which I don't think I can
> set up to canonicalize to IP address.
>
> I realize I could make the options I want globally set, but I wanted them to
> be defaults for if I ever used openssh with outside-my-network systems.
>
> On Wed, Aug 26, 2015 at 10:53 PM, Bostjan Skufca <bostjan at a2o.si> wrote:
>>
>> Are you connecting by specifying "ssh HOSTNAME" instead of "ssh
>> IP.IP.IP.IP"?
>>
>> If this is the case, then "Host 192.168.*.*" line never matches when
>> you think it should.
>>
>> From ssh_config manpage:
>> "The host is the hostname argument given on the command line (i.e. the
>> name is not converted to a canonicalized host name before matching)."
>>
>> b.
>>
>> On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at gmail.com> wrote:
>> > If I want to specify for LAN addresses that I don't want to deal with
>> > host
>> > keys, how do I do that?  Understanding the risks, knowing almost
>> > everyone
>> > will say not to do this - it's a horrible idea, but deciding I want to
>> > do
>> > it anyway.  Tired of having to remove entries from known_hosts with the
>> > multiple VM's I have that often change fingerprints, and am willing to
>> > live
>> > with the risks.
>> >
>> > /etc/ssh/ssh_config
>> > Host 192.168.*.*
>> >    StrictHostKeyChecking no
>> >    UserKnownHostsFile /dev/null
>> >
>> > or
>> >    UserKnownHostsFile none
>> >
>> > Isn't doing the trick.  With no known_hosts file in ~/.ssh or /etc, I
>> > still
>> > get:
>> > The authenticity of host '<hostname> (192.168.2.2)' can't be
>> > established.
>> > ECDSA key fingerprint is SHA256:.....
>> > Are you sure you want to continue connecting (yes/no)?
>> > _______________________________________________
>> > openssh-unix-dev mailing list
>> > openssh-unix-dev at mindrot.org
>> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

More information about the openssh-unix-dev mailing list