Temporarily ignore my `~/.ssh/known_hosts` file?
Is there a way to temporarily ignore my ~/.ssh/known_hosts
file?
mbp:~ alexus$ ssh 10.52.11.171
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /Users/alexus/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/alexus/.ssh/known_hosts:155
RSA host key for 10.52.11.171 has changed and you have requested strict checking.
Host key verification failed.
mbp:~ alexus$
NOTE:
.. by a few answer(s)/comment(s) i realize that my question is a bit misleading, so short it is expected behavior), so it's normal (in my case) there is a valid reason behind it on why I want to see "ignore it")
You can use ssh -o StrictHostKeyChecking=no
to turn off checking known_hosts
momentarily. But I'd advise against this. You should really check why the host key has changed.
Another option is to add a specific entry to your ~/.ssh/config
for the host in question. This might be valid approach if you have a certain host which generates new host keys every time it reboots and it gets rebooted for a valid reason several times a day.
Host <your problematic host>
StrictHostKeyChecking no
To completely ignore your known hosts file in a POSIX environment, set the GlobalKnownHostsFile
and UserKnownHostsFile
options to /dev/null
:
ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null user@host
Setting the StrictHostKeyChecking=no
option will allow you to connect but SSH will still show a warning:
ssh -o StrictHostKeyChecking=no user@host
As others have noted, it's probably better to address the underlying issue. You could consider SSH certificate authentication to verify hosts, for example.
If you have reinstalled the server and therefore the Identification has changed, you should just delete the specified line 155 from /Users/alexus/.ssh/known_hosts
and go ahead.
If you switch between different private networks, you should use hostnames to connect instead, as the ssh client will also save keys depending on the hostname. Add something like this to your /etc/hosts
:
10.52.11.171 server1
10.52.11.171 server2
and then use ssh server1
when connected to subnet 1 and ssh server2
when connected to subnet2. This way, both servers can have different hostkeys.
-o StrictHostKeyChecking=no
only works if host isn't already present in known_hosts file.
I think it is cleaner (no warnings), if you expect hosts key to change maybe due to vm cloning, to enforce ignoring of those kind of hosts like this:
# Handle possible SSH key changes
host_key=$(ssh-keyscan -t rsa ${host_ip})
grep "${host_key}" ~/.ssh/known_hosts >/dev/null || {
ssh-keygen -R ${host_ip}
echo ${host_key} >> ~/.ssh/known_hosts
}
# connect as normal way
ssh root@${host_ip} "hostname"