Disabling host key checking on LAN

Walter Carlson wlcrls47 at gmail.com
Thu Aug 27 10:26:13 AEST 2015 

Perfect, thanks.  This winds up working for me (as far as I've tested so
far.)

Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'"
   StrictHostKeyChecking no
   UserKnownHostsFile none

On Wed, Aug 26, 2015 at 11:47 PM, Bostjan Skufca <bostjan at a2o.si> wrote:

> (+cc list)
>
> You could use something in the following manner:
>
> Match originalhost *      exec "/check/if/this/hostname/is/on/lan.sh"
>     ...(lan-specific opts)...
>
> But this one is a bit tricky to get right, as order of entries begins
> to matter more than you would initially anticipate (or at least I
> didn't). Also I am not using this mode with asterisk (*), but with
> fixed hostnames (to determine ipv4-or-ipv6 connection without using
> DNS) so it might not work at all.
>
> b.
>
>
> On 27 August 2015 at 01:25, Walter Carlson <wlcrls47 at gmail.com> wrote:
> > You nailed it.  I am using a single word hostname.
> >
> > Is there any way for me to specify the private IP space I'm using, so I
> can
> > use single word hostnames in the command line, without having to list
> each
> > of them in ssh_config?
> >
> > Setting CanonicalizeHostname it looks like just uses the CanoncialDomains
> > suffixes and CanonicalizePermittedCNAMEs rules, which I don't think I can
> > set up to canonicalize to IP address.
> >
> > I realize I could make the options I want globally set, but I wanted
> them to
> > be defaults for if I ever used openssh with outside-my-network systems.
> >
> > On Wed, Aug 26, 2015 at 10:53 PM, Bostjan Skufca <bostjan at a2o.si> wrote:
> >>
> >> Are you connecting by specifying "ssh HOSTNAME" instead of "ssh
> >> IP.IP.IP.IP"?
> >>
> >> If this is the case, then "Host 192.168.*.*" line never matches when
> >> you think it should.
> >>
> >> From ssh_config manpage:
> >> "The host is the hostname argument given on the command line (i.e. the
> >> name is not converted to a canonicalized host name before matching)."
> >>
> >> b.
> >>
> >> On 27 August 2015 at 00:21, Walter Carlson <wlcrls47 at gmail.com> wrote:
> >> > If I want to specify for LAN addresses that I don't want to deal with
> >> > host
> >> > keys, how do I do that?  Understanding the risks, knowing almost
> >> > everyone
> >> > will say not to do this - it's a horrible idea, but deciding I want to
> >> > do
> >> > it anyway.  Tired of having to remove entries from known_hosts with
> the
> >> > multiple VM's I have that often change fingerprints, and am willing to
> >> > live
> >> > with the risks.
> >> >
> >> > /etc/ssh/ssh_config
> >> > Host 192.168.*.*
> >> >    StrictHostKeyChecking no
> >> >    UserKnownHostsFile /dev/null
> >> >
> >> > or
> >> >    UserKnownHostsFile none
> >> >
> >> > Isn't doing the trick.  With no known_hosts file in ~/.ssh or /etc, I
> >> > still
> >> > get:
> >> > The authenticity of host '<hostname> (192.168.2.2)' can't be
> >> > established.
> >> > ECDSA key fingerprint is SHA256:.....
> >> > Are you sure you want to continue connecting (yes/no)?
> >> > _______________________________________________
> >> > openssh-unix-dev mailing list
> >> > openssh-unix-dev at mindrot.org
> >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> >
>

More information about the openssh-unix-dev mailing list