ZenLinux Blog

I feel the need to spread this ssh tip that saves me from quite a bit of typing on a daily basis. I learned about it from Elliott’s OS X Tips and Tricks post on the Carsonified blog.

Add the following to your ~/.ssh/config file:

Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p

Now when you ssh into a host, subsequent connections to that host use the same TCP socket, and don’t require authentication. This will be the case for as long as that initial connection stays open, and it works for sftp as well as ssh.

I realize another way of avoiding typing your password all the time is to use ssh keys, but I happen to work on embedded systems that get rebuilt very frequently and which I’m not able set up an ssh key as part of the build process. This technique allows me to log into the system once per session and not have to type the password over and over again.

Secure shell (ssh) uses cryptographic keys to uniquely identify (fingerprint) the hosts that you connect to. Once you connect to a new host, the fingerprint string is added to a file called known_hosts in your ~/.ssh directory. Then, every time you reconnect to that host, the fingerprint is checked to ensure it hasn’t changed.

This is an important security feature, because if the saved fingerprint doesn’t match, it could be because someone is maliciously spoofing the server you’re trying to connect to as part of a man-in-the-middle (MITM) type attack. However, in this modern age, some of us have local networks with numerous devices/laptops which change their IP address regularly due to DHCP. When this happens and you ssh to a device now using the same IP that a previous device used (and for which you have the host fingerprint saved), you get a nastygram from ssh and it refuses to allow you to connect to the device. Then you must clear the fingerprint from your ~/.ssh/known_hosts file and reconnect. This gets old really quickly.

So I spent some time today reviewing ssh configuration options to disable this host key checking for my home network subnet. Upon first glance, the StrictHostKeyChecking option seems like the one you’d want to change, but in fact setting it to “no” still does not allow you to ssh to a host when the saved fingerprint doesn’t match up.

In resignation, I instead hacked up a different solution, and now tell ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host keys for my local subnet. If anyone knows a better solution to this, please enlighten me. Here is my final ~/.ssh/config file:

Host 192.168.1.*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

Note that for hosts outside of my home subnet, the host key checking is still enforced (as it should be).