SSH Avoid Host Key Verification

SSH is great for providing security over unprotected networks, but sometimes the security measures can just get in the way. When dealing with embedded devices or virtual machines, rolling out a new firmware/disk image will result in the SSH host key changing, resulting in the warning below.

user@host:~$ ssh remotehost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:6
RSA host key for remotehost has changed and you have requested strict checking.
Host key verification failed.

A fix would be to go and delete the stored key from line 6 of .ssh/known_hosts, but the same problem is going to keep happening as the remote host key changes. For obvious security reasons, SSH provides no commandline parameter to disable remote host key checking.

You can however use the -o argument to overwrite the default setting provided in .ssh/config. This results in a rather unwieldy command, but you can add the following lines to your .bashrc file to create an alias command.

alias ssh_noauth="ssh -o 'UserKnownHostsFile /dev/null'\
-o 'StrictHostKeyChecking no'"

Now, by using ssh_noauth instead of ssh for hosts that have changed their host key, you can avoid the error above.

Alternatively, you can whitelist an entire subnet by adding the following to your .ssh/config file:

Host 192.168.1.*
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

:!: Do not use these commands as a full time replacement for ssh, to bypass any annoying Remote Host Identification warnings. Only use these when you absolutely trust the remote host.

Leave a Reply