[wellylug] Disabling SSH remote host identification temporarily

Andrew Stephen andrew at evil.geek.nz
Thu Oct 27 14:46:02 NZDT 2005


On 10/27/05, David Antliff <dave.antliff at paradise.net.nz> wrote:
>
>
> On Thu, 27 Oct 2005, Grant McLean wrote:
> > Can't you just use the same host key for both OS's on the box?  Just
> > copy the /etc/ssh/ssh_host*key and /etc/ssh/ssh_host*key.pub files from
> > one environment to the other.
>
>
> Hi Grant,
>
> Yes, I had considered that as a server-side solution, but I'd still like
> to know how to get the client to ignore this without modifying the
> server(s).

The client should not ever ignore this silently otherwise you'd be
open to Man In The Middle (MITM) attacks[1].  Even if there is an
option to turn of the warning I suggest you don't use it.

The StrictHostKeyChecking option allows you to "warn but allow" (no)
or "warn and disallow" (yes) attempts to connect to servers whose keys
have changed.

The best option is to copy the host keys as Grant suggests.  Another
possibility would be to have Gentoo and that other OS configured with
different IP addresses though this may not be easy if you use DHCP
locally.

[1] MITM attacks are where the perpetrator sets up a fake server
pretending to be your real one.  When you connect to the fake it
relays your connection to the real server while sniffing/altering your
data leaving you unaware that anything is wrong. 
"StrictHostKeyChecking Yes" ensures this can't happen unless the
perpetrator has stolen your server keys.

--
Andrew Stephen
http://www.evil.geek.nz/

Sarchasm: The gulf between the author of sarcastic wit and the person
who doesn't get it.




More information about the wellylug mailing list