1788 – simple option to ignore known_hosts

Bug 1788 - simple option to ignore known_hosts

Summary: simple option to ignore known_hosts

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	5.5p1
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-06-30 05:03 AEST by akostadinov
Modified:	2011-01-24 12:33 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description akostadinov 2010-06-30 05:03:49 AEST

Hello,

when one works with dynamic provisioning of machines, known_hosts checks stop being an effective security measure and are PITA to deal with.

For exmaple when one creates lots of Amazon EC2 cloud machines and connects to them, one gets asked for confirmations as well known_hosts get bloated with useless records. 

Could you implement a simple option to ignore known_host checks and also not record fingerprints in known_hosts?

Currently my workaround is like:
Host *.amazonaws.com
   HashKnownHosts no
   CheckHostIP no
   StrictHostKeyChecking no
   UserKnownHostsFile /tmp/somefile

Comment 1 Darren Tucker 2010-07-02 13:29:42 AEST

You can already do this with "UserKnownhostsFile /dev/null" but that doesn't make it a good idea as you lose all MITM protection.

If you have a pre-existing trust relationship with the provisioner then they could create a certified host key (see SSH_KNOWN_HOSTS_FORMAT in sshd(8) and ssh-keygen(1))

Comment 2 Damien Miller 2011-01-24 12:33:56 AEDT

Move resolved bugs to CLOSED after 5.7 release