Greetings CentOS community!
I connect to a very large number of new machines with a handful of my CentOS boxen. Whenever I connect to a new host, I *REALLY* would like to *NOT* see the error message such as this:
The authenticity of host 'w.x.y.z (w.x.y.z)' can't be established. RSA key fingerprint is 62:7a:6c:e5:03:f5:47:be:23:a5:c5:e5:c3:60:9b:8d. Are you sure you want to continue connecting (yes/no)? yes
Also, some of these systems are being setup with an automated login system via SSH keys which means I have to manually login to each of the boxes before the automated scripting will work just to clear the 'authenticity' error.
Is there a way to disable this error/authenticity check globally for a system? I understand it may not be the best practice in terms of security, but for an internal trusted host, I have no reservations making this change.
Help! :-)
--Tim
Tim Nelson wrote:
Is there a way to disable this error/authenticity check globally for a system? I understand it may not be the best practice in terms of security, but for an internal trusted host, I have no reservations making this change.
ssh -o StrictHostKeyChecking=no ....
or add that option to ~/.ssh/ssh_config in each client user's account...
Read this article. it will explain a couple of different ways on how to do what you're looking to do and the pros and cons of them.
http://www.securityfocus.com/infocus/1806
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Tim Nelson Sent: Monday, June 29, 2009 8:58 AM To: CentOS mailing list Subject: [CentOS] SSH Authenticity Messages... Disable/
Greetings CentOS community!
I connect to a very large number of new machines with a handful of my CentOS boxen. Whenever I connect to a new host, I *REALLY* would like to *NOT* see the error message such as this:
The authenticity of host 'w.x.y.z (w.x.y.z)' can't be established. RSA key fingerprint is 62:7a:6c:e5:03:f5:47:be:23:a5:c5:e5:c3:60:9b:8d. Are you sure you want to continue connecting (yes/no)? yes
Also, some of these systems are being setup with an automated login system via SSH keys which means I have to manually login to each of the boxes before the automated scripting will work just to clear the 'authenticity' error.
Is there a way to disable this error/authenticity check globally for a system? I understand it may not be the best practice in terms of security, but for an internal trusted host, I have no reservations making this change.
Help! :-)
--Tim _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi,
On Mon, Jun 29, 2009 at 11:57, Tim Nelsontnelson@rockbochs.com wrote:
I connect to a very large number of new machines with a handful of my CentOS boxen. Whenever I connect to a new host, I *REALLY* would like to *NOT* see the error message such as this: The authenticity of host 'w.x.y.z (w.x.y.z)' can't be established. RSA key fingerprint is 62:7a:6c:e5:03:f5:47:be:23:a5:c5:e5:c3:60:9b:8d. Are you sure you want to continue connecting (yes/no)? yes Also, some of these systems are being setup with an automated login system via SSH keys which means I have to manually login to each of the boxes before the automated scripting will work just to clear the 'authenticity' error. Is there a way to disable this error/authenticity check globally for a system? I understand it may not be the best practice in terms of security, but for an internal trusted host, I have no reservations making this change.
Yes,
You can do it for one session only (which is convenient for a script) like this:
$ ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ...
If you want to do that permanent, you can add the two last options to /etc/ssh/ssh_config, like this:
UserKnownHostsFile /dev/null StrictHostKeyChecking no
But I don't think you can get the same as the "-q" does, which suppresses the "Adding key to file..." text on the first login.
In any case, I don't think you should do it globally, but do it using the long command line on your script only.
I also create a bash alias "qssh" which calls ssh with those options, which is handy when I'm trying to connect to a machine that I know will get reinstalled many times (and thus have its private key changed) and I really don't want to store it in my ~/.ssh/known_hosts.
HTH, Filipe
----- "Filipe Brandenburger" filbranden@gmail.com wrote:
Hi,
On Mon, Jun 29, 2009 at 11:57, Tim Nelsontnelson@rockbochs.com wrote:
I connect to a very large number of new machines with a handful of
my CentOS boxen. Whenever I connect to a new host, I *REALLY* would like to *NOT* see the error message such as this:
The authenticity of host 'w.x.y.z (w.x.y.z)' can't be established. RSA key fingerprint is
62:7a:6c:e5:03:f5:47:be:23:a5:c5:e5:c3:60:9b:8d.
Are you sure you want to continue connecting (yes/no)? yes Also, some of these systems are being setup with an automated login
system via SSH keys which means I have to manually login to each of the boxes before the automated scripting will work just to clear the 'authenticity' error.
Is there a way to disable this error/authenticity check globally for
a system? I understand it may not be the best practice in terms of security, but for an internal trusted host, I have no reservations making this change.
Yes,
You can do it for one session only (which is convenient for a script) like this:
$ ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ...
If you want to do that permanent, you can add the two last options to /etc/ssh/ssh_config, like this:
UserKnownHostsFile /dev/null StrictHostKeyChecking no
But I don't think you can get the same as the "-q" does, which suppresses the "Adding key to file..." text on the first login.
In any case, I don't think you should do it globally, but do it using the long command line on your script only.
I also create a bash alias "qssh" which calls ssh with those options, which is handy when I'm trying to connect to a machine that I know will get reinstalled many times (and thus have its private key changed) and I really don't want to store it in my ~/.ssh/known_hosts.
HTH, Filipe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you everyone for the helpful suggestions. I'm entirely unsure why I didn't come across these options during my 'man ssh' and obligatory Googling... Maybe it was because there were no pointing fingers or large blinking arrows to point the way. :-)
--Tim