ssh -o stricthostkeychecking=no works.
There's no ~/.ssh/config
grep Strict /etc/ssh/ssh_config # StrictHostKeyChecking ask
but it doesn't ask:
ssh new-gateway @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:TylFZRyv2D0miW94XagWwZOFPPCd1PhTRscDSXZHwVw. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:1 ECDSA host key for [new-gateway]:6878 has changed and you have requested strict checking. Host key verification failed.
though it reads the config file correctly:
ssh -G new-gateway | grep strict stricthostkeychecking ask
I don't want to change the ECDSA host key, because sometimes that machine is at this address.
any help appreciated
On 2/17/19 10:24 PM, sean darcy wrote:
ssh -o stricthostkeychecking=no works.
There's no ~/.ssh/config
grep Strict /etc/ssh/ssh_config # StrictHostKeyChecking ask
but it doesn't ask:
ssh new-gateway @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:TylFZRyv2D0miW94XagWwZOFPPCd1PhTRscDSXZHwVw. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:1 ECDSA host key for [new-gateway]:6878 has changed and you have requested strict checking. Host key verification failed.
though it reads the config file correctly:
ssh -G new-gateway | grep strict stricthostkeychecking ask
I don't want to change the ECDSA host key, because sometimes that machine is at this address.
any help appreciated
According to the man page
If this flag is set to “no” or “off”, ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.
Need to so some more research to determine what those "restrictions" are. One thing to try would be to also add CheckHostIP=no
CheckHostIP If set to yes (the default), ssh(1) will additionally check the host IP address in the known_hosts file. This allows it to detect if a host key changed due to DNS spoofing and will add addresses of destination hosts to ~/.ssh/known_hosts in the process, regardless of the setting of StrictHostKeyChecking. If the option is set to no, the check will not be executed.
On Sun, 17 Feb 2019 09:24:53 -0500 sean darcy wrote:
any help appreciated
I gave up trying to deal with these issues because our lab at work is full of machines being re-genned every few weeks, so I wrote a little perl script I could run before ssh to update the ~/.ssh/known_hosts file by running ssh-keyscan and putting whatever it returns in place of any existing entries in known_hosts :-).
Never quite got ambitious enough to make an alias for ssh that would just always run this first though.
sean darcy, 17.02.19 15:24 +0100:
ssh -o stricthostkeychecking=no works.
There's no ~/.ssh/config
grep Strict /etc/ssh/ssh_config # StrictHostKeyChecking ask
but it doesn't ask:
ssh new-gateway @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:TylFZRyv2D0miW94XagWwZOFPPCd1PhTRscDSXZHwVw. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:1 ECDSA host key for [new-gateway]:6878 has changed and you have requested strict checking. Host key verification failed.
though it reads the config file correctly:
ssh -G new-gateway | grep strict stricthostkeychecking ask
"StrictHostKeyChecking ask" asks when connecting to a new host (for which there's no entry in known_hosts). If there's an entry for the host in known_hosts and the host's key doesn't match the one saved in known_hosts, it will deny the connection:
If this flag is set to ask (the default), new host keys will be added […] and ssh will refuse to connect to hosts whose host key has changed.
(from man ssh_config(5))
So, for you, it seems to work as documented.
-
Ed Greshko -
Markus Schönhaber -
sean darcy -
Tom Horsley