0

I'm working for a company that involves sshing into several different devices with the same IP address and hostname, but unique private keys for ssh. What I'm trying to figure out is a way to disable the strict host key checking refusing to let me connect to a new device, but still warning me that it's a new device.

I know I can set StrictHostKeyChecking yes in .ssh/config, but with this alone it refuses to let me enter a username and password. When also adding UserKnownHostsFile /dev/null it lets me connect, but completely disables the checking, which isn't what I want either!

How can I set up ssh to warn me when connecting to new devices, but still allow me to connect to them? The password is not consistent between all devices either, so I can't set it to automatically enter it for me.

Ultimately I know the chances of a MITM attack when specifically connecting to our company's devices internally is minuscule, but I still like the confirmation that you are connecting to a known device.

Patronics
  • 103
  • 2
  • 5
  • 1
    As a guess you are testing new devices (hence multiple things with the same hostname and ip address). Can you change the requirements and make each device have the same host key rather than each one generating a unique one? This avoids the MITM attack, but doesn't warn you if it is a new device. – icarus Jul 06 '19 at 06:45
  • 2
    According to https://unix.stackexchange.com/questions/486760/is-it-possible-to-allow-multiple-ssh-host-keys-for-the-same-ip, you can have multiple keys for the same host, so just get the new key and add it to known_hosts manually when SSH refuses to connect? – muru Jul 06 '19 at 06:49
  • @icarus you guessed correctly about the situation. Changing the devices to have the same host key might be possible, thanks for the suggestion. I'd rather have a solution that doesn't require changing the software on the devices themselves if possible though. – Patronics Jul 06 '19 at 06:49
  • @muru, yeah that basically been what I've been doing up to now, in my case by commenting out the offending host keys that match so it will approve the new device, then uncommenting them again (or just leaving them commented and getting warned again if I'm feeling lazy). It's getting really frustrating over time though, there must be a better way! – Patronics Jul 06 '19 at 06:52
  • 1
    Why comment/uncomment anything? When SSH errors out, use ssh-keyscan to add the new key. It's just one command. – muru Jul 06 '19 at 06:53
  • @muru yeah, there's definitely better ways to do it, but I'd still prefer just being able to use ssh normally, being alerted (or even prompted as you are with new devices) to trust or distrust it. I'll look into ssh-keyscan though, thanks for the suggestion – Patronics Jul 06 '19 at 06:56

0 Answers0