Don't add hostkey to known_hosts for SSH

ssh hosts
90,629

Solution 1

-o "UserKnownHostsFile=/dev/null"

should work.

Solution 2

If you want this behavior because you're working with cloud servers (AWS EC2, Rackspace CloudServers etc.) or you're constantly provisioning new images in Vagrant you may want to update your SSH config instead of adding bash aliases or more options on the command line.

Consider adding something like:

Host *.mydomain.com 
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  User foo
  LogLevel QUIET
  • Use as strict as regex for host as possible to be secure.
  • Setting the LogLevel to QUIET will keep the Warning which Guillaume mentioned from showing up

Solution 3

For a single ssh session, use this

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@host

Solution 4

I feel like adding the host key to your known_hosts (the folks running these services are, in my experience, at least smart enough to keep their host keys consistent between machines serving the same hostname) and then turning on StrictHostKeyChecking, turning off CheckHostIP, and logging with LogLevel ERROR will give you the best experience without sacrificing security. (Ok, without CheckHostIP you do need to trust DNS, which is a huge gaping hole without widespread DNSSEC or something similar; but we'll just sweep that under the rug for the moment.)

I use a read-only known_hosts file, so I have to do something or I get endless warnings about not being able to add entries to known_hosts.

What I use:

Host github.com *.github.com
StrictHostKeyChecking yes
CheckHostIP no
LogLevel ERROR

I would like these services to publish their SSH host keys on their websites via HTTPS, so I can copy them explicitly without having to connect first and potentially expose myself to a MITM attack.

Solution 5

I suggest

LogLevel ERROR

over

LogLevel QUIET

so you still get "Could not resolve hostname" and other such errors

Share:
90,629

Related videos on Youtube

Albert
Author by

Albert

I am postgraduate of RWTH Aachen, Germany and received a M.S. Math and a M.S. CompSci. My main interests are Machine Learning, Neural Networks, Artificial Intelligence, Logic, Automata Theory and Programming Languages. And I'm an enthusiastic hobby programmer with a wide range of side projects, mostly in C++ and Python. Homepage GitHub SourceForge HackerNewsers profile page MetaOptimize Q+A

Updated on September 17, 2022

Comments

  • Albert
    Albert over 1 year

    I want to connect to a host via SSH but I don't want the hostname to be added to my ~/.ssh/known_hosts.

    How can I do that?

  • Albert
    Albert almost 14 years
    I'm already using that. But it has a different effect: It loweres the strictness for the host key checking. I.e. when the host is unknown, it still connects when you disable that option. Thus, it still saves the host. But I think I have found the right solution (see my answer).
  • Guillaume Boudreau
    Guillaume Boudreau almost 13 years
    Works as intended, but it will always report: "Warning: Permanently added 'hostname,ip' (RSA) to the list of known hosts." I made that go away with: 2>&1 | grep -v "^Warning: Permanently added"
  • Alex Recarey
    Alex Recarey over 11 years
    You really should try to not fully disable StrictHostKeyChecking, so cclark's answer is a great compromise for working with cloud servers.
  • Tomasz Gandor
    Tomasz Gandor over 9 years
    This is what I needed for my scenario - no DNS, LAN with DHCP, computers getting different addresses all the time. I will need to type 'yes' all the time, but otherwise it's great.
  • Bob Brown
    Bob Brown over 9 years
    you should be able to trust your SSH connections, imho. Not just make it silent about your risks.
  • John Munsch
    John Munsch about 9 years
    This proved very helpful to me as I was using Shipit (a JavaScript deployment tool) against Vagrant. I couldn't easily get at the parameters Shipit was passing to SSH so this allowed me to sidestep the tool and tell it what I did and didn't want it to remember.
  • Anshu Prateek
    Anshu Prateek almost 9 years
    LogLevel is what I was looking for. It has the added advantage of not showing the company configured notice when running scripts! (I am running now w/ loglevel ERROR)
  • John
    John over 7 years
    add -o "LogLevel ERROR" and it won't complain with Warnings anymore
  • Wim Deblauwe
    Wim Deblauwe almost 7 years
    In what file do I add this ?
  • cclark
    cclark almost 7 years
    This is your SSH configuration file. In Linux or macOS the file would generally be in a directory called .ssh within your home directory and named config -- ~/.ssh/config
  • Alex Berry
    Alex Berry almost 7 years
    Depends really. We have development environments that get torn down each week and rebuilt, their A records stay the same but their host key is generated each time it's built. We can't persist the host keys because the A record is just defined in a database based off an environment name, and environment names can be scrapped or new ones created at any time, so the above workaround is genuinely useful.
  • Ben Creasy
    Ben Creasy over 6 years
    Note: a request to suppress that message "Warning: Permanently added 'hostname,ip' (RSA) to the list of known hosts." was reported to the maintainers bugzilla.mindrot.org/show_bug.cgi?id=2413
  • Alex O
    Alex O over 6 years
    Piping to grep will merge stdout and stderr; also the exit status can change. If using bash, it will be better to use process substitution to get rid of the message: ssh 2> >( egrep >&2 -v '^Warning: Permanently added') -o "UserKnownHostsFile /dev/null" [...]. It will avoid the pipe and thus the corresponding changes in exit status handling.
  • Jon Bentley
    Jon Bentley about 5 years
    @John It is better to use one of the other methods in these comments, otherwise you are introducing a security flaw due to the potential to hide other, unrelated warnings
  • Scott Prive
    Scott Prive over 2 years
    I suggest ALWAYS use the equals (=) between SSH option and value, because that is easier to parse and is consistent whether executed in a script or a terminal. Parsing issues could be a platform issue, but the whole issue can be avoided if one ignores the ancient openssh.com doc examples (which favor the "quoted with space separator" approach) and just use the simpler equals separator.
  • Scott Prive
    Scott Prive over 2 years
    No need to publish keys on a website. DNS SSHFP records have been around since 2006. It is not widely supported, at least not on public DNS.
  • Kyle Rose
    Kyle Rose over 2 years
    If anyone actually used DNSSEC, this might be a viable option for trust establishment. Since end-to-end DNSSEC is virtually non-existent, however, trusting a key served over DNS is probably worse in most cases than TOFU.
  • Scott Prive
    Scott Prive over 2 years
    Fair, the adoption rate is poor.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSH: How to handle missing: /home/USER/.ssh/known_hosts
How to edit /etc/hosts without sudo?
how to get the name of current host?
ssh - no route to host
Remove key from known_hosts
ssh: Could not resolve hostname. Name or service not known
Why is flutter pub get not finding my ssh-key for github?
CentOS 7 Minimal Installation on Hyper-V: X11 forwarding using Xming and PuTTy error, xhost: unable to open display ":0.0"
ssh -T [email protected] Permission denied (publickey)
How to transparently monitor SSH access/network traffic in Gentoo/general linux?