How can I avoid SSH's host verification for known hosts?

Question

I get the following prompt everytime I try to connect a server using SSH. I type "yes", but is there a way to aovid this?

The authenticity of host '111.222.333.444 (111.222.333.444)' can't be established.
RSA key fingerprint is f3:cf:58:ae:71:0b:c8:04:6f:34:a3:b2:e4:1e:0c:8b.
Are you sure you want to continue connecting (yes/no)?

/dev/null exists for those who think they are immune to man in the middle attacks :) — Tim Post, Mar 29 '10 at 10:08
Worst part: Type `y` to save some time, and it complains: `Please type 'yes' or 'no':` [_(hmph)_](https://media.giphy.com/media/Q4ScVMm5oBP44/giphy.gif) — ADTC, Nov 29 '17 at 18:59
similar to https://askubuntu.com/questions/87449/how-to-disable-strict-host-key-checking-in-ssh/167753#167753 — MarkHu, Mar 21 '19 at 04:45

score 323 · Accepted Answer · edited Aug 19 '12 at 14:19

323

Use the -o option,

ssh -o "StrictHostKeyChecking no" user@host

edited Aug 19 '12 at 14:19

Oliver Salzburg

86,445
63
260
306

answered Mar 29 '10 at 10:53

thegeek

3,828
1
17
7

1

You may want to use an alternate identity file with the flag '-i' – MUY Belgium Apr 22 '13 at 10:08
2

What use would using an alternate identity file be? I mean, if you're connecting to a compromised host, what difference does it make how you authenticate - it's not like the compromised host can steal your key too. – Dagelf Jun 02 '15 at 10:16
Perfectly valid answer. Just please note that this is insecure, and it opens you up to "man-in-the-middle" attacks. – cowlinator May 06 '21 at 22:18
3

On my computer a related man page (`man 5 ssh_config`) says that there are more alternatives to `no`, including `accept-new`, where ssh "will automatically add new host keys to the user known hosts files, but will not permit connections to hosts with changed host keys." This seems like it would still solve this problem in many cases while being more secure. (There is also `yes`, which skips the prompt and rejects unknown and changed hosts. Also `off` is the same as `no` and `ask` is the default, which prompts.) – David Winiecki Sep 29 '22 at 17:11
1

According to [the man page](https://www.man7.org/linux/man-pages/man5/ssh_config.5.html), `StrictHostKeyChecking` will "automatically add new host keys to the user known hosts files" when set to `no` or `off`, which is worth noting. See [JimFred's answer](https://superuser.com/a/628801/1732018) if you just want to connect once without adding anything to the known hosts (may be useful in some cases). – Wilderness Ranger Jul 24 '23 at 17:05

score 151 · Answer 2 · answered Aug 06 '13 at 21:56

151

Add the following lines to the beginning of /etc/ssh/ssh_config...

Host 192.168.0.*
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

Options:

The Host subnet can be * to allow unrestricted access to all IPs.
Edit /etc/ssh/ssh_config for global configuration or ~/.ssh/config for user-specific configuration.

See http://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html

answered Aug 06 '13 at 21:56

JimFred

1,670
1
10
11

4

Pity I can only upvote you once. Setting KnownHosts to /dev/null is genius. – J0hnG4lt Aug 08 '14 at 15:15
2

Your the smartest one. – Darth Egregious Sep 05 '14 at 20:08
46

Ha! Tell my wife. – JimFred Sep 06 '14 at 21:16
This should be the answer – Miquel Nov 18 '20 at 12:21

score 31 · Answer 3 · answered Mar 29 '10 at 09:47

31

You should only get this the first time you connect to a new host. After you respond yes the host gets stored in ~/.ssh/known_hosts and you won't get prompted the next time you connect.

Note that if ~/.ssh/known_hosts can not be written for any reason (e.g. permissions problem) then you will get prompted every time you connect.

answered Mar 29 '10 at 09:47

Paul R

5,546
2
23
28

9

The question is is there anyway to avoid the prompt? – shantanuo Mar 29 '10 at 10:44
I tried adding "CheckHostIP no" to /etc/ssh/ssh_config file. But it does not seem to be working – shantanuo Mar 29 '10 at 10:46
2

sudo chown -R user:user .ssh ; sudo chmod 700 .ssh; sudo chmod -R 600 .ssh/ ; ssh-keygen -R $hostname and reconnect that should take ALL problems out and ONLY ever re-prompt if a ssk_Hostkey is mucked with | changed or you are victim to a MITM. – linuxdev2013 Dec 12 '15 at 23:28
1

it says "everytime" so this answer is super appropriate – tarikakyol Jan 23 '18 at 14:27
No, it's a terrible answer, because obviously IT KEEPS HAPPENING to the guy, or he wouldn't have asked the question. And to me, too, because I have an IT department that decides they need to "clean out" the known_hosts files on a regular basis. – Patrick Maupin Sep 03 '20 at 00:56

score 11 · Answer 4 · answered Jun 08 '10 at 22:29

The best way (because it does not sacrifice security) is to connect once to all computers from one client (you'll be prompted every time, always answer yes). As pointed out in the other answer, the keys will then be stored in ~/.ssh/known_hosts. Then copy this file to every client computer you might later want to connect from (possibly for each user account you use). Then all these accounts will "know" the computers, hence no prompt.

The advantage over just disabling the prompt is that SSH can actually check if there is a MITM attack.

Although, if you often ssh via forward connections, you will want to add this to /etc/ssh/ssh_config: Host 127.0.0.1 NoHostAuthenticationForLocalhost yes — Dagelf, Jun 02 '15 at 10:14

score 2 · Answer 5 · answered Jul 11 '15 at 23:20

2

If you want to disable the confirmation, rather than the authentication, you can use the option: "-o CheckHostIP=no"

ssh -i sergeys_rsa_key.pem -o CheckHostIP=no brin@8.8.8.8

answered Jul 11 '15 at 23:20

R J

161
2

The OP has already got the same answer and accepted it. – Ayan Jul 12 '15 at 04:03

score 1 · Answer 6 · answered Jan 27 '20 at 07:10

I had faced a similar issue where despite using the above mentioned verified solution, my ssh was not working and it was because the known_hosts file was missing from ~/.ssh/ directory and the File System was read only. SO during run time also I was unable to create the ~/.ssh/known_hosts file.

If you face the similar issue then see if you can write the known_hosts file in the /tmp location. This is mostly write enabled even in a read-only file system.

Later in the ssh command you can specify the ssh to read the known_hosts file from /tmp location.

ssh -o UserKnownHostsFile=/tmp/known_hosts -o StrictHostKeyChecking=no user_name@destination_server_ip

IvanReed · Answer 7 · 2015-12-13T10:35:14.387

0

This is probably because your ssh key server changed, since server ip or domain is the same but ssh key mismatch.

You must remove the stored key in /home/$user/.ssh/known_hosts to avoid this message.

I fixed it removing all keys in that file, so new token is created for this domain name.

edited Dec 13 '15 at 10:35

answered Dec 12 '15 at 18:09

IvanReed

101
1

1

Key *changed* produces a much uglier message with a box of atsigns and `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!` and `IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!` in all-caps. The message in the question occurs only if there is *not* already an entry in `known_hosts`. – dave_thompson_085 Dec 15 '15 at 06:15

score -2 · Answer 8 · answered Nov 09 '18 at 12:14

-2

Check the permissions on your ~/.ssh/known_hosts file. Mine were incorrect when I got this problem. I fixed it with:

chmod 0600 ~/.ssh/known_hosts

answered Nov 09 '18 at 12:14

Andrew McCombe

97
2

How can I avoid SSH's host verification for known hosts?

8 Answers8

Linked

Related