Hack to Prevent SSH Host Key Lookups for Your Local Subdomain

Posted by Scott on Mar 28th, 2008

Secure shell (ssh) uses cryptographic keys to uniquely identify (fingerprint) the hosts that you connect to. Once you connect to a new host, the fingerprint string is added to a file called known_hosts in your ~/.ssh directory. Then, every time you reconnect to that host, the fingerprint is checked to ensure it hasn’t changed.

This is an important security feature, because if the saved fingerprint doesn’t match, it could be because someone is maliciously spoofing the server you’re trying to connect to as part of a man-in-the-middle (MITM) type attack. However, in this modern age, some of us have local networks with numerous devices/laptops which change their IP address regularly due to DHCP. When this happens and you ssh to a device now using the same IP that a previous device used (and for which you have the host fingerprint saved), you get a nastygram from ssh and it refuses to allow you to connect to the device. Then you must clear the fingerprint from your ~/.ssh/known_hosts file and reconnect. This gets old really quickly.

So I spent some time today reviewing ssh configuration options to disable this host key checking for my home network subnet. Upon first glance, the StrictHostKeyChecking option seems like the one you’d want to change, but in fact setting it to “no” still does not allow you to ssh to a host when the saved fingerprint doesn’t match up.

In resignation, I instead hacked up a different solution, and now tell ssh to use /dev/null instead of ~/.ssh/known_hosts as where to save host keys for my local subnet. If anyone knows a better solution to this, please enlighten me. Here is my final ~/.ssh/config file:

Host 192.168.1.*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

Note that for hosts outside of my home subnet, the host key checking is still enforced (as it should be).

3 Responses

  1. phil Says:

    Awesome tip; thanks!

    I’m now using an adapted command-line version for a slightly different situation, when I want to make a temporary exception for a single host (e.g., if I reinstall the OS repeatedly and don’t want to keep the key for any particular install):

    ssh -o UserKnownHostsFile=/dev/null

  2. key exchange on auto install to allow password-less auth (via SSH) - Admins Goodies Says:

    […] to this blog post, the quickest and simplest way to resolve this problem is to specify that the known_hosts file be […]

  3. Jacob V. Rasmussen Says:

    A better solution, would be to use:
    Host *.local
    CheckHostIP no

    *.local is a nice range, if all your machines have bonjour or avahi installed.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Blog Badges

[FSF Associate Member]