113
19
I want to connect to a host via SSH but I don't want the hostname to be added to my ~/.ssh/known_hosts.
How can I do that?
Albert
Posted 2010-05-15T00:03:53.853
Reputation: 5 059
Don't add hostkey to known_hosts for SSH
Answers
102
-o "UserKnownHostsFile /dev/null"
should work.
Albert
Posted 2010-05-15T00:03:53.853
Reputation: 5 059
104
If you want this behavior because you're working with cloud servers (AWS EC2, Rackspace CloudServers etc.) or you're constantly provisioning new images in Vagrant you may want to update your SSH config instead of adding bash aliases or more options on the command line.
Consider adding something like:
Host *.mydomain.com
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
User foo
LogLevel QUIET
- Use as strict as regex for host as possible to be secure.
- Setting the LogLevel to QUIET will keep the Warning which Guillaume mentioned from showing up
cclark
Posted 2010-05-15T00:03:53.853
Reputation: 1 141
This proved very helpful to me as I was using Shipit (a JavaScript deployment tool) against Vagrant. I couldn't easily get at the parameters Shipit was passing to SSH so this allowed me to sidestep the tool and tell it what I did and didn't want it to remember. – John Munsch – 2015-03-11T03:06:48.963
1LogLevel is what I was looking for. It has the added advantage of not showing the company configured notice when running scripts! (I am running now w/ loglevel ERROR) – Anshu Prateek – 2015-08-04T03:46:07.970
In what file do I add this ? – Wim Deblauwe – 2017-05-18T12:06:03.200
This is your SSH configuration file. In Linux or macOS the file would generally be in a directory called .ssh within your home directory and named config -- ~/.ssh/config – cclark – 2017-05-18T12:09:58.897
You really should try to not fully disable StrictHostKeyChecking, so cclark's answer is a great compromise for working with cloud servers. – Alex Recarey – 2012-09-24T16:39:19.583
10
I feel like adding the host key to your known_hosts (the folks running these services are, in my experience, at least smart enough to keep their host keys consistent between machines serving the same hostname) and then turning on StrictHostKeyChecking, turning off CheckHostIP, and logging with LogLevel ERROR will give you the best experience without sacrificing security. (Ok, without CheckHostIP you do need to trust DNS, which is a huge gaping hole without widespread DNSSEC or something similar; but we'll just sweep that under the rug for the moment.)
I use a read-only known_hosts file, so I have to do something or I get endless warnings about not being able to add entries to known_hosts.
What I use:
Host github.com *.github.com
StrictHostKeyChecking yes
CheckHostIP no
LogLevel ERROR
I would like these services to publish their SSH host keys on their websites via HTTPS, so I can copy them explicitly without having to connect first and potentially expose myself to a MITM attack.
Kyle Rose
Posted 2010-05-15T00:03:53.853
Reputation: 101
7
For a single ssh session, use this
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@host
Quanlong
Posted 2010-05-15T00:03:53.853
Reputation: 792
4This adds nothing new to an accepted answer on a question that is 5 years old. – JakeGould – 2015-12-16T06:58:08.197
6
I suggest
LogLevel ERROR
over
LogLevel QUIET
so you still get "Could not resolve hostname" and other such errors
kiloforce
Posted 2010-05-15T00:03:53.853
Reputation: 69
you should be able to trust your SSH connections, imho. Not just make it silent about your risks. – sylvainulg – 2015-01-23T09:16:42.600
3Depends really. We have development environments that get torn down each week and rebuilt, their A records stay the same but their host key is generated each time it's built. We can't persist the host keys because the A record is just defined in a database based off an environment name, and environment names can be scrapped or new ones created at any time, so the above workaround is genuinely useful. – Alex Berry – 2017-06-27T08:59:23.163
2
Have you tried disabling StrictHostKeyChecking? You can do it with the -o option or in the configuration file ~/.ssh/config.
jneves
Posted 2010-05-15T00:03:53.853
Reputation: 311
I'm already using that. But it has a different effect: It loweres the strictness for the host key checking. I.e. when the host is unknown, it still connects when you disable that option. Thus, it still saves the host. But I think I have found the right solution (see my answer). – Albert – 2010-05-15T00:29:31.953
0
I found the following .ssh/config entries useful (LAN with DHCP and DNS):
CheckHostIP no
Host *.*
CheckHostIP yes
Result is local machine names "zora" or "goron" will not check against dynamically assigned IP addresses, but www.mycompany.com or node42.planetlab.com will still have their static IPs confirmed.
sylvainulg
Posted 2010-05-15T00:03:53.853
Reputation: 573
This is what I needed for my scenario - no DNS, LAN with DHCP, computers getting different addresses all the time. I will need to type 'yes' all the time, but otherwise it's great. – Tomasz Gandor – 2014-10-03T04:47:17.167
4add -o "LogLevel ERROR" and it won't complain with Warnings anymore – John – 2016-09-29T02:37:48.203
1
Note: a request to suppress that message "Warning: Permanently added 'hostname,ip' (RSA) to the list of known hosts." was reported to the maintainers https://bugzilla.mindrot.org/show_bug.cgi?id=2413
– Ben Creasy – 2017-10-04T02:14:33.1902Piping to
grepwill merge stdout and stderr; also the exit status can change. If usingbash, it will be better to use process substitution to get rid of the message:ssh 2> >( egrep >&2 -v '^Warning: Permanently added') -o "UserKnownHostsFile /dev/null" [...]. It will avoid the pipe and thus the corresponding changes in exit status handling. – Alex O – 2017-10-10T11:48:20.5431@John It is better to use one of the other methods in these comments, otherwise you are introducing a security flaw due to the potential to hide other, unrelated warnings – Jon Bentley – 2019-03-05T14:21:20.520
3Works as intended, but it will always report: "Warning: Permanently added 'hostname,ip' (RSA) to the list of known hosts." I made that go away with: 2>&1 |
grep -v "^Warning: Permanently added"– Guillaume Boudreau – 2011-05-18T17:34:50.010