SSH: known host with dynamic address
I need to connect to a host with a dynamic IP address.
Every time its IP changes, SSH prompts me the fingerprint validation thing:
The authenticity of host '...' can't be established.
RSA key fingerprint is ....
Are you sure you want to continue connecting (yes/no)?
Would it be possible to pass SSH the host public key, so that:
- SSH validates the host's authenticity automatically
- The host key is not stored in the known_hosts file
This question differs from How can I avoid SSH's host verification for known hosts? since that other questions aims to suppress SSH validation, while I do not want to suppress it: I do want to have the host authenticated, just using the host's public key (which I know, and have it stored in a file) rather than SSH known_hosts
file.
To me the other question seems to be about connecting to a different server every time, rather than connecting to a single well-known server with a dynamic IP.
Solution 1:
The best solution (ie. closest to what I want) I could find is to use the option HostKeyAlias
: it will use an hostname I specify to access known_hosts
(rather than the IP I'm connecting to).
I will need to add the host's public key to known_hosts
using a given hostname (eg: myhost
) and then connect to it using:
ssh -o 'HostKeyAlias myhost' ...
Solution 2:
The known_hosts
file is not just the key, it also contains the hostname you use to connect, and if possible the IP that corresponds. Which is why you see the error, it is comparing the triplet it gets from the server with what you stored in the known_hosts file.
So, if the IP keeps changing, you could disable CheckHostIP
and that means it will just check the hostname and host key. If those remain unaltered, you should have less complaints, but you will be at risk if someone hijacks your DNS.