SSH into a box with a frequently changed IP

Question

I have some cloud boxes that change their IP frequently.

I ssh using the hostname but have to edit the known_hosts file every time the server launches because of this error message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is…

Aside from any security risks and such that are associated with what I want to do, is there a way to either ignore this error or overwrite the known_hosts file automatically such that I don't always have to edit it myself?

The best answer as of 2018-02 is https://serverfault.com/a/895661/476774 -- use a HostKeyAlias in your config file. — Mathieu CAROFF, Mar 28 '21 at 16:47

score 36 · Answer 1 · answered Oct 22 '10 at 09:45

36

Addition: you could try only disabling the CheckHostIP check for that name:

Host *
  [ global settings .. ]

Host very.dynamic.host
  CheckHostIP no

answered Oct 22 '10 at 09:45

Koos van den Hout

1,086
6
9

7

This is the best option to reduce the security impact of disabling IP-checking. – Espo Oct 22 '10 at 12:58

sysadmin1138 · Accepted Answer · 2022-05-02T21:19:44.807

27

Edit your .ssh/config file and add a config for this server:

Host frequent-rotation.example.com
    CheckHostIP no

CheckHostIP defaults to 'yes'. What this does is to do just the kind of check you're failing. Turning it off means it just trusts that the IP is variable, and will to key-checking against the hostname.

edited May 02 '22 at 21:19

answered Oct 21 '10 at 22:31

sysadmin1138

131,083
18
173
296

7

This disables a security feature for *all* servers you will ever connect to, which is extremely bad practice. You should instead use this option *only* for a specific host you know will have this problem - or use the HostKeyAlias option - again for a specific host. – zaTricky Feb 05 '18 at 08:34
@zaTricky "Extremely bad practice"? What's so extreme about it hmm? I think it's about as much secure, it's simply an individual preference. You just pin a key to a hostname (instead of IP). For https, the HPKP works similarly and everybody says it's either secure or overly secure. – kubanczyk Feb 05 '18 at 08:49
@kubanczyk This is saying to make it a global setting - no advice regarding specifying a host, which I did point out – zaTricky Feb 05 '18 at 11:22
1

It's better to use this setting on a per-host basis. So edit `~/.ssh/config` and add `Host hostname` then under that line put `CheckHostIP no`. That way it only affects that host instead of operating globally. Apparently lots of people want to point this out but can't edit the original post (edit queue is full; eh). – CR. Jun 17 '21 at 01:14
I see the answer has been edited to take the suggestions into account. :-) – zaTricky May 03 '22 at 09:00

zaTricky · Answer 3 · 2020-12-21T16:27:12.447

A lot of the answers here will work - but technically they're workarounds. OpenSSH already has a built-in feature with this in mind: HostKeyAlias.

In your .ssh/config file, add HostKeyAlias <alias> to a host configuration:

host myserver.example.com
HostKeyAlias myserver.example.com

With this in place, connecting to server myserver.example.com will not use the hostname or the IP address for the local reference - it will always only use the given HostKeyAlias when connecting to that server. For me it makes sense to use the hostname - but you can of course use any alias you like.

Typical configs for myself for dynamic hosts are like so:

host myserver
hostname myserver.dyn.example.com
HostKeyAlias myserver.private.example.com

This can also be used in some obscure scenarios where you know a bunch of your servers have the same host keys (generally this should not be the case). This would then prevent duplicate entries. In future, if the keys legitimately change, you don't have to replace/delete multiple entries. Only one. Gitlab Geo servers are a good example of this.

Regarding clearing the known_hosts file, I would suggest looking at other questions/answers specifically related to maintaining/removing stale known_hosts entries. For example, see https://serverfault.com/questions/29262/how-to-manage-my-ssh-known-hosts-file ; I'm especially impressed by user1953828's answer, though I see it doesn't have many upvotes (yet). :)

This goes to show how much value a same-day answer has on SO vs the right answer, answered 8 years later. — parity3, Jan 04 '19 at 02:15

Zv_oDD · Answer 4 · 2015-01-22T23:27:03.890

3

I use these dodgy options to work around this problem. (My host's public key is regenerated quite often. so this removes the IP and Key check)

ssh remoteServerName -l username -o "UserKnownHostsFile=/dev/null"

You can also just use this if the Key stays the same but the IP changes:

ssh remoteServerName -l username -o "CheckHostIP=no"

edited Jan 22 '15 at 23:27

answered Jan 22 '15 at 23:18

Zv_oDD

131
3

1

If your server changes host keys that often, you should consider setting up host-key signing – Cameron Tacklind Oct 01 '19 at 22:14

score 1 · Answer 5 · answered Oct 21 '10 at 22:31

1

You could put CheckHostIP no into your ~/.ssh/config file, but that leaves you open to spoofing attacks. If you're not concerned about that, then this setting should turn off the known_hosts check.

answered Oct 21 '10 at 22:31

Steven Monday

13,019
4
35
45

score 0 · Answer 6 · answered Oct 21 '10 at 22:29

0

You can set StrictHostKeyChecking=no in your ssh client configuration (i.e. The ~/ssh/config file on the machine that you connect from), to ignore the warning.

answered Oct 21 '10 at 22:29

hayalci

3,611
3
25
37

score 0 · Answer 7 · answered Jun 16 '17 at 14:49

I avoid adding the fingerprints to my known_hosts file when connecting to transient AWS machines. I use a command such as

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i secret.pem ec2-user@10.0.0.5

to connect to them. It will not ask you if you want to add the machine “to the list of known hosts.” Replace 10.0.0.5 by the IP address of your machine and secret.pem by the full path of your Ssh key. You will still get a warnings that the 10.0.0.5 has been added, but it has really vanished into /dev/null. I do this often enough that I set an alias in my ~/.profile

alias awsssh='ssh -i secret.pem -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

I reserve ssh ec2-user@example.com type commands for machines were I went to the trouble of checking the fingerprint.

This makes sense for servers you only ever connect to once - but there are better ways to get rid of stale entries - and you shouldn't be *that* concerned about how dirty your known_hosts file is. Likely you've spent far more time and energy creating that alias than value the alias has brought you. — zaTricky, Feb 05 '18 at 08:31

score -3 · Answer 8 · answered Oct 22 '10 at 13:47

-3

Make known_hosts read-only.

answered Oct 22 '10 at 13:47

Eldelshell

139
5

This breaks functionality when pragmatic options are easily available. :-/ – zaTricky Feb 05 '18 at 08:24

SSH into a box with a frequently changed IP

8 Answers8

Linked