Bug 1788

Summary: simple option to ignore known_hosts
Product: Portable OpenSSH Reporter: akostadinov
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: dtucker
Priority: P2    
Version: 5.5p1   
Hardware: All   
OS: All   

Description akostadinov 2010-06-30 05:03:49 AEST 
Hello,

when one works with dynamic provisioning of machines, known_hosts checks stop being an effective security measure and are PITA to deal with.

For exmaple when one creates lots of Amazon EC2 cloud machines and connects to them, one gets asked for confirmations as well known_hosts get bloated with useless records. 

Could you implement a simple option to ignore known_host checks and also not record fingerprints in known_hosts?

Currently my workaround is like:
Host *.amazonaws.com
   HashKnownHosts no
   CheckHostIP no
   StrictHostKeyChecking no
   UserKnownHostsFile /tmp/somefile
Comment 1 Darren Tucker 2010-07-02 13:29:42 AEST 
You can already do this with "UserKnownhostsFile /dev/null" but that doesn't make it a good idea as you lose all MITM protection.

If you have a pre-existing trust relationship with the provisioner then they could create a certified host key (see SSH_KNOWN_HOSTS_FORMAT in sshd(8) and ssh-keygen(1))
Comment 2 Damien Miller 2011-01-24 12:33:56 AEDT 
Move resolved bugs to CLOSED after 5.7 release