SSH Cookbook: Temporarily Disable Security Message on Connection to a Remote Server

First off, DO NOT do this all the time. ONLY do this when you have evaluated the risks and decided to risk a security breach anyways. I usually do this in my testing environment where I get to work with a lot of new or changing VMs.

When you connect for the first time to a server you are prompted to verify its fingerprint. It is then added to your ~/.ssh/known_hosts file so when you connect the next time and the fingerprint matches you are not prompted again. For example:

The authenticity of host ' (' can't be established.
RSA key fingerprint is 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00.
Are you sure you want to continue connecting (yes/no)?

This can be annoying when you connect to a lot of “new” SSH servers. It also doesn’t work in test environments where scripts need to continously connect to machines they have not connected to before and may not ever connect again. This can be even more annoying when the same IP is recycled between various test machines and your client machine does not connect because a known host’s fingerprint changed.

You can temporarily disable fingerprint matching at the time you are connecting:

ssh myuser@ -o CheckHostIP=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

You can also put this config in your ~/.ssh/config file so that you don’t need to provide these extra flags all the time:

Host myhost
    Port 22
    User myuser
    AddressFamily inet
    CheckHostIP no
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Now when you connect to the server you will see a message similar to this one:

Warning: Permanently added '' (RSA) to the list of known hosts.

It hasn’t actually added it to the known hosts file and that’s the beauty of it.

One last thing: DO NOT do this when connecting to machines you absolutely must trust. It’s alright to use this technique when connecting within a test lab environment, for example.

Comments are closed.

%d bloggers like this: