SSH on Linux: Disabling host key checking for hosts on local subnet (known_hosts)

I work on a network where the systems at an IP address will change frequently. They are moved on and off the workbench and DHCP determines the IP they get.

It doesn't seem straightforward how to disable host key caching/checking so that I don't have to edit ~/.ssh/known_hosts every time I need to connect to a system.

I don't care about the host authenticity, they are all on the 10.x.x.x network segment and I'm relatively certain that nobody is MITM'ing me.

Is there a "proper" way to do this? I don't care if it warns me, but halting and causing me to flush my known_hosts entry for that IP every time is annoying and in this scenario it does not really provide any security because I rarely connect to the systems more than once or twice and then the IP is given to another system.

I looked in the ssh_config file and saw that I can set up groups so that the security of connecting to external machines could be preserved and I could just ignore checking for local addresses. This would be optimal.

From searching I have found some very strong opinions on the matter, ranging from "Don't mess with it, it is for security, just deal with it" to "This is the stupidest thing I have ever had to deal with, I just want to turn it off" ... I'm somewhere in the middle. I just want to be able to do my job without having to purge an address from the file every few minutes.

Thanks.


Solution 1:

This is the configuration I use for our ever-changing EC2 hosts:

maxim@maxim-desktop:~$ cat ~/.ssh/config 
Host *amazonaws.com
        IdentityFile ~/.ssh/keypair1-openssh
        IdentityFile ~/.ssh/keypair2-openssh
        User ubuntu
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

This disables host confirmation StrictHostKeyChecking no and also uses a nice hack to prevent ssh from saving the host identify to a persistent file UserKnownHostsFile /dev/null note that as an added value I've added the default user with which to connect to the host and the option to try several different identify private keys.

Solution 2:

Assuming you're using OpenSSH, I believe you can set the

CheckHostIP no

option to prevent host IPs from being checked in known_hosts. From the man page:

CheckHostIP

If this flag is set to 'yes', ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to 'no', the check will not be executed. The default is 'yes'.