SSH: Disable Host Checking for Scripts

Unknown | 07:14 | 0 comments

To anyone who has used SSH long enough the above message should look familiar. Everytime a user logs into a host via SSH that hosts unique host key is stored in the users ~/.ssh/known_hosts file. If a host is not already added into this file than the first occurrence of an SSH connection will display the above message, prompting the user to either enter yes or no. By entering Yes, the servers unique host key is automatically stored into the known_hosts file, this has been implemented to prevent man in the middle attacks.

Since servers are practically dispensable these days, they are provisioned and re-provisioned at the click of a button. It is quite common for a script to perform a remote SSH login on a new system to run commands. If this script is being run by an automated process, being asked a question may prevent the script from executing.

To get around this you can disable this feature, called StrictHostKeyChecking

Disable StrictHostKeyChecking System Wide:


StrictHostKeyChecking can be disabled on both the system as a whole or on a per user basis. To disable this setting on the system simply modify the /etc/ssh/ssh_config file.

# vi /etc/ssh/ssh_config

Search For:

# StrictHostKeyChecking ask

Replace with:

#StrictHostKeyChecking no

Disabling the KnownHostsFile:

If a host key is already added to the known_hosts file but does not match the host key being presented to SSH on login, the login will still fail. This would prevent logging into a host that shares the same hostname/IP as a previously provisioned host.

To prevent this scenario from stopping your automated script you can also change the KnownHostsFile to /dev/null. Thus preventing the host key from being added to any real file.

# vi ~/.ssh/config

Append

#UserKnownHostsFile /dev/null

Thank you for reading :)


Category: , , ,

handsonbook.blogspot.com

0 comments