I work on a network where the systems at an IP address will change frequently. They are moved on and off the workbench and DHCP determines the IP they get.
我在一个网络上工作,IP地址的系统经常会发生变化。它们在工作台上下移动,DHCP确定它们获得的IP。
It doesn't seem straightforward how to disable host key caching/checking so that I don't have to edit ~/.ssh/known_hosts every time I need to connect to a system.
如何禁用主机密钥缓存/检查以使我不必编辑~/似乎并不简单。每次需要连接到系统时,ssh/known_hosts。
I don't care about the host authenticity, they are all on the 10.x.x.x network segment and I'm relatively certain that nobody is MITM'ing me.
我不关心主持人的真实性,他们都在10.x.x上。x网络段,我相对确定没有人对我说话。
Is there a "proper" way to do this? I don't care if it warns me, but halting and causing me to flush my known_hosts entry for that IP every time is annoying and in this scenario it does not really provide any security because I rarely connect to the systems more than once or twice and then the IP is given to another system.
有没有一种“合适”的方式来做这件事?我不在乎它警告我,但停止,导致我冲洗known_hosts条目IP每次都是烦人的,在这种情况下它并不提供任何安全因为我很少连接到系统一次或两次以上的IP是另一个系统。
I looked in the ssh_config file and saw that I can set up groups so that the security of connecting to external machines could be preserved and I could just ignore checking for local addresses. This would be optimal.
我查看了ssh_config文件,发现我可以设置组,以便能够保持与外部机器连接的安全性,并且可以忽略对本地地址的检查。这将是最优的。
From searching I have found some very strong opinions on the matter, ranging from "Don't mess with it, it is for security, just deal with it" to "This is the stupidest thing I have ever had to deal with, I just want to turn it off" ... I'm somewhere in the middle. I just want to be able to do my job without having to purge an address from the file every few minutes.
从搜索中我发现了一些非常强烈的观点,从“不要乱用它,它是为了安全,只是处理它”到“这是我处理过的最愚蠢的事情,我只是想把它关掉”……我在中间。我只是希望能够完成我的工作,而不必每隔几分钟就从文件中清除一个地址。
Thanks.
谢谢。
5 个解决方案
#1
81
This is the configuration I use for our ever-changing EC2 hosts:
这是我为我们不断变化的EC2主机使用的配置:
maxim@maxim-desktop:~$ cat ~/.ssh/config
Host *amazonaws.com
IdentityFile ~/.ssh/keypair1-openssh
IdentityFile ~/.ssh/keypair2-openssh
User ubuntu
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
This disables host confirmation StrictHostKeyChecking no
and also uses a nice hack to prevent ssh from saving the host identify to a persistent file UserKnownHostsFile /dev/null
note that as an added value I've added the default user with which to connect to the host and the option to try several different identify private keys.
这禁用宿主确认StrictHostKeyChecking没有同时使用一个黑客防止ssh主机标识保存到一个持久文件UserKnownHostsFile / dev / null指出,作为一个增值我添加的默认用户连接到主机和尝试几种不同的选项确定私钥。
#2
9
Assuming you're using OpenSSH, I believe you can set the
假设你在使用OpenSSH,我相信你可以设置
CheckHostIP no
option to prevent host IPs from being checked in known_hosts. From the man page:
选项,以防止在known_hosts中检查主机ip。从手册页:
CheckHostIP
CheckHostIP
If this flag is set to 'yes', ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to 'no', the check will not be executed. The default is 'yes'.
如果将此标志设置为“yes”,ssh(1)将另外检查known_hosts文件中的主机IP地址。这允许ssh检测主机密钥是否由于DNS欺骗而更改。如果选项设置为“no”,则不会执行检查。默认值是“是的”。
#3
8
This took me a while to find. The most common use-case I've seen is when you've got SSH tunnels to remote networks. All the solutions here produced warnings which broke my Nagios scripts.
这花了我一段时间才找到。我所见过的最常见的用例是当您有SSH通道到远程网络时。这里的所有解决方案都产生了警告,破坏了Nagios脚本。
The option I needed was:
我需要的选择是:
NoHostAuthenticationForLocalhost yes
Which, as the name suggests also only applies to localhost.
顾名思义,这只适用于localhost。
#4
2
If you want to disable this temporarily or without needing to change your SSH configuration files, you can use:
如果您想暂时禁用此功能,或者不需要更改SSH配置文件,可以使用:
ssh -o UserKnownHostsFile=/dev/null username@hostname
#5
0
Since every other answer explains how to disable the key checking, here are two ideas that preserve the key checking, but avoid the problem:
由于其他所有答案都解释了如何禁用密钥检查,这里有两个方法可以保留密钥检查,但可以避免这个问题:
-
Use hostnames. This is easy if you control the DHCP server and can assign proper names. After that you can just use the known hostnames, the changing ips don't matter.
使用主机名。如果您控制DHCP服务器并能够分配适当的名称,那么这很容易。在此之后,您可以只使用已知的主机名,更改ip并不重要。
-
Use hostnames. Even if you don't control the DHCP server, you can use a service like
avahi
, which will broadcast the name of the server in our local network. It takes care of solving collisions and other issues.使用主机名。即使不控制DHCP服务器,也可以使用avahi这样的服务,它将在我们的本地网络中广播服务器的名称。它负责解决冲突和其他问题。
-
Use host key signing. After you built a machine, sign it with a local CA (you don't need a global trusted CA for that). After that, you don't need to trust each host separately on your machine. It's enough that you trust the signing CA in the known_hosts file. More information in the
ssh-keygen
man page or at many blog posts (https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu)使用主机密钥签名。构建机器之后,使用本地CA对其进行签名(不需要全局可信的CA)。之后,您不需要分别信任您的机器上的每个主机。在known_hosts文件中信任签名CA就足够了。在ssh-keygen man页面或许多博客文章(https://www.digitalocean.com/community/tutorials/howtocreate -an-ssh- cato -validate-host -client -with-ubuntu)中提供更多信息
#1
81
This is the configuration I use for our ever-changing EC2 hosts:
这是我为我们不断变化的EC2主机使用的配置:
maxim@maxim-desktop:~$ cat ~/.ssh/config
Host *amazonaws.com
IdentityFile ~/.ssh/keypair1-openssh
IdentityFile ~/.ssh/keypair2-openssh
User ubuntu
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
This disables host confirmation StrictHostKeyChecking no
and also uses a nice hack to prevent ssh from saving the host identify to a persistent file UserKnownHostsFile /dev/null
note that as an added value I've added the default user with which to connect to the host and the option to try several different identify private keys.
这禁用宿主确认StrictHostKeyChecking没有同时使用一个黑客防止ssh主机标识保存到一个持久文件UserKnownHostsFile / dev / null指出,作为一个增值我添加的默认用户连接到主机和尝试几种不同的选项确定私钥。
#2
9
Assuming you're using OpenSSH, I believe you can set the
假设你在使用OpenSSH,我相信你可以设置
CheckHostIP no
option to prevent host IPs from being checked in known_hosts. From the man page:
选项,以防止在known_hosts中检查主机ip。从手册页:
CheckHostIP
CheckHostIP
If this flag is set to 'yes', ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to 'no', the check will not be executed. The default is 'yes'.
如果将此标志设置为“yes”,ssh(1)将另外检查known_hosts文件中的主机IP地址。这允许ssh检测主机密钥是否由于DNS欺骗而更改。如果选项设置为“no”,则不会执行检查。默认值是“是的”。
#3
8
This took me a while to find. The most common use-case I've seen is when you've got SSH tunnels to remote networks. All the solutions here produced warnings which broke my Nagios scripts.
这花了我一段时间才找到。我所见过的最常见的用例是当您有SSH通道到远程网络时。这里的所有解决方案都产生了警告,破坏了Nagios脚本。
The option I needed was:
我需要的选择是:
NoHostAuthenticationForLocalhost yes
Which, as the name suggests also only applies to localhost.
顾名思义,这只适用于localhost。
#4
2
If you want to disable this temporarily or without needing to change your SSH configuration files, you can use:
如果您想暂时禁用此功能,或者不需要更改SSH配置文件,可以使用:
ssh -o UserKnownHostsFile=/dev/null username@hostname
#5
0
Since every other answer explains how to disable the key checking, here are two ideas that preserve the key checking, but avoid the problem:
由于其他所有答案都解释了如何禁用密钥检查,这里有两个方法可以保留密钥检查,但可以避免这个问题:
-
Use hostnames. This is easy if you control the DHCP server and can assign proper names. After that you can just use the known hostnames, the changing ips don't matter.
使用主机名。如果您控制DHCP服务器并能够分配适当的名称,那么这很容易。在此之后,您可以只使用已知的主机名,更改ip并不重要。
-
Use hostnames. Even if you don't control the DHCP server, you can use a service like
avahi
, which will broadcast the name of the server in our local network. It takes care of solving collisions and other issues.使用主机名。即使不控制DHCP服务器,也可以使用avahi这样的服务,它将在我们的本地网络中广播服务器的名称。它负责解决冲突和其他问题。
-
Use host key signing. After you built a machine, sign it with a local CA (you don't need a global trusted CA for that). After that, you don't need to trust each host separately on your machine. It's enough that you trust the signing CA in the known_hosts file. More information in the
ssh-keygen
man page or at many blog posts (https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu)使用主机密钥签名。构建机器之后,使用本地CA对其进行签名(不需要全局可信的CA)。之后,您不需要分别信任您的机器上的每个主机。在known_hosts文件中信任签名CA就足够了。在ssh-keygen man页面或许多博客文章(https://www.digitalocean.com/community/tutorials/howtocreate -an-ssh- cato -validate-host -client -with-ubuntu)中提供更多信息