views:

647

answers:

1

I work on a network where the systems at an ip address will change frequently. They are moved on and off the workbench and DHCP determines the IP they get.

It doesn't seem straightforward how to disable host key caching/checking so that I don't have to edit ~/.ssh/known_hosts every time I need to connect to a system.

I don't care about the host authenticity, they are all on the 10.x.x.x network segment and I'm relatively certain that nobody is MITM'ing me.

Is there a "proper" way to do this? I don't care if it warns me, but halting and causing me to flush my known_hosts entry for that ip every time is annoying and in this scenario it does not really provide any security because I rarely connect to the systems more than once or twice and then the ip is given to another system.

I looked in the ssh_config file and saw that I can set up groups so that the security of connecting to external machines could be preserved and I could just ignore checking for local addresses. This would be optimal.

From searching I have found some very strong opinions on the matter, ranging from "Don't mess with it, it is for security, just deal with it" to "This is the stupidest thing I have ever had to deal with, I just want to turn it off" ... I'm somewhere in the middle. I just want to be able to do my job without having to purge an address from the file every few minutes.

Thanks.

+2  A: 

Assuming you're using OpenSSH, I believe you can set the option

CheckHostIP no

option to prevent host IPs from being checked in known_hosts. From the man page:

CheckHostIP

If this flag is set to 'yes', ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to 'no', the check will not be executed. The default is 'yes'.

Jim Garrison
I've added a section to the bottom of the config file with host 10.0.0.* and below that I put CheckHostIP no Do you know if I need to put all the other settings in there or if this is in addition to the * host above? I'll have to wait until I log into a system that has been issued a "used" ip address to make sure this change works. I'll accept your answer if that works.Thanks.
C4colo
It doesn't seem this does the trick 100% ... not sure why, I'll have to play with it a bit more and see if I can get it to do what I want.
C4colo
What do you mean by "100%"? Does it work sometimes but not others?
Jim Garrison