426

I would like to disable strict host key checking in ssh for Ubuntu 11.04. How to do it?

dessert
  • 40,956
karthick87
  • 84,513

7 Answers7

389

In your ~/.ssh/config (if this file doesn't exist, just create it):

Host *
    StrictHostKeyChecking no

This will turn it off for all hosts you connect to. You can replace the * with a hostname pattern if you only want it to apply to some hosts.

Make sure the permissions on the file restrict access to yourself only:

sudo chmod 400 ~/.ssh/config
David Foerster
  • 36,890
  • 56
  • 97
  • 151
Caesium
  • 16,207
  • 4
  • 42
  • 48
383

Rather than adding it to your ~/.ssh/config file for all Host *, it would be a safer to specify a particular host.

You can also pass a parameter on the command-line like this:

ssh -o StrictHostKeyChecking=no yourHardenedHost.com

This will automatically add the host key to your known_hosts file if it's not already there.

If there's a mismatch, it will display a big warning and not update known_hosts. It will also disable password-based authentication to prevent MITM attacks. Private key authentication will still automatically get through though, which you may not want.

mwfearnley
  • 3,497
MarkHu
  • 6,218
203

It's worth pointing out that setting in your ssh config:

StrictHostKeyChecking no

Will mean hostkeys are still added to .ssh/known_hosts - you just won't be prompted about whether you trust them, but should hosts change I'm willing to bet you'll get the big warning about it. You can work around this problem by adding another parameter:

UserKnownHostsFile /dev/null

This will add all these "newly discovered" hosts to the trash bin. If a host key changes, no troubles.

I would be remiss not to mention that circumventing these warnings on hostkeys has obvious security ramifications - you should be careful that you're doing it for the right reasons & that what you're connecting to actually is what you mean to connect to and not a malicious host, since at this point you've eroded a major part of the security in ssh as a solution.

For example if you were to try and set this with the commandline, the full command would be: 

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@host

That would be silly though - given that the working examples above for ssh config files is likely to make more sense in all cases.

pacifist
  • 2,198
30

FYI. I prefer to disable host checking just when using cssh.

alias cssh='ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
Community
  • 1
Kyle
  • 309
20

If you want to disable on a one time basis use:

ssh -o UserKnownHostsFile=/dev/null

That will work also if the host key changes and will make sure not to save the key as trusted for added security.

qwertzguy
  • 693
  • 1
  • 7
  • 16
11

From what it sounds like, 

NoHostAuthenticationForLocalhost yes

may be good enough, for you. AND you'd still be able to maintain that semblance of security.

fossfreedom
  • 174,526
alex gray
  • 227
3

https://askubuntu.com/a/87452/129227 suggest to modify the config file which helps. But instead of opening things up for any host I wanted this to be done per host. The script below helps automating the process:

example call

./sshcheck somedomain site1 site2 site3

sshcheck script

#!/bin/bash
# WF 2017-08-25
# check ssh access to bitplan servers

#ansi colors
#http://www.csc.uvic.ca/~sae/seng265/fall04/tips/s265s047-tips/bash-using-colors.html
blue='\033[0;34m'  
red='\033[0;31m'  
green='\033[0;32m' # '\e[1;32m' is too bright for white bg.
endColor='\033[0m'

#
# a colored message 
#   params:
#     1: l_color - the color of the message
#     2: l_msg - the message to display
#
color_msg() {
  local l_color="$1"
  local l_msg="$2"
  echo -e "${l_color}$l_msg${endColor}"
}

#
# error
#
#   show an error message and exit
#
#   params:
#     1: l_msg - the message to display
error() {
  local l_msg="$1"
  # use ansi red for error
  color_msg $red "Error: $l_msg" 1>&2
  exit 1
}

#
# show the usage
#
usage() {
  echo "usage: $0 domain sites"
  exit 1 
}

#
# check the given server
#
checkserver() {
  local l_server="$1"
  grep $l_server $sconfig > /dev/null
  if [ $? -eq 1 ]
  then
    color_msg $blue "adding $l_server to $sconfig"
    today=$(date "+%Y-%m-%d")
    echo "# added $today by $0"  >> $sconfig
    echo "Host $l_server" >> $sconfig
    echo "   StrictHostKeyChecking no" >> $sconfig
    echo "   userKnownHostsFile=/dev/null" >> $sconfig
    echo "" >> $sconfig
  else
    color_msg $green "$l_server found in $sconfig"
  fi
  ssh -q $l_server id > /dev/null
  if [ $? -eq 0 ]
  then
    color_msg $green "$l_server accessible via ssh"
  else
    color_msg $red "ssh to $l_server failed" 
    color_msg $blue "shall I ssh-copy-id credentials to $l_server?"
    read answer
    case $answer in
      y|yes) ssh-copy-id $l_server
    esac
  fi
}

#
# check all servers
#
checkservers() {
me=$(hostname -f)
for server in $(echo $* | sort)
do
  os=`uname`
  case $os in
   # Mac OS X
   Darwin*)
     pingoption=" -t1";;
    *) ;;
  esac

  pingresult=$(ping $pingoption -i0.2 -c1 $server)
  echo $pingresult | grep 100 > /dev/null
  if [ $? -eq 1 ]
  then 
    checkserver $server
    checkserver $server.$domain
  else
    color_msg $red "ping to $server failed"
  fi
done
}

#
# check configuration
#
checkconfig() {
#https://askubuntu.com/questions/87449/how-to-disable-strict-host-key-checking-in-ssh
  if [ -f $sconfig ]
  then
    color_msg $green "$sconfig exists"
    ls -l $sconfig
  fi
}

sconfig=~/.ssh/config

case  $# in
  0) usage ;;
  1) usage ;;
  *) 
    domain=$1 
    shift 
    color_msg $blue "checking ssh configuration for domain $domain sites $*"
    checkconfig
    checkservers $* 
    ;;
esac
Wolfgang Fahl
  • 662