Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
What I want to do is disable this for certain hosts in a specific IP address range. And I am accessing these host by IP address. The problem happens because they are always newly installed hosts. Sometimes the same machine is reinstalled many times. Sometimes it is running from DVD and there is no persistency of the host ID. Sometimes there is other IP address switching going on. But in all cases these are either link-local or private IP addresses, and always accessed by IP address.
Removing one host from ~/.ssh/known_hosts is a pain. It's always so much easier to just "rm -f ~/.ssh/known_hosts". But that loses all my other host IDs, so I'd rather not be doing that.
So disabling this for these IPs (all link-local or private IPs) would be the solution. According to "man ssh_config" I should just specify "CheckHostIP no" for these IP addresses (in a "Host" context for them).
But that does not work. I've done it like this:
Code:
Host fe80:* 169.254.*
CheckHostIP no
IdentitiesOnly yes
IdentityFile ~/.ssh/id_local
Host fc*:* fd*:* 10.* 44.* 192.168.*
CheckHostIP no
IdentitiesOnly yes
IdentityFile ~/.ssh/id_private
Host *
CheckHostIP yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id
Protocol 2
AddressFamily any
Ciphers 3des-cbc,blowfish-cbc
Compression yes
CompressionLevel 1
ConnectionAttempts 4
DSAAuthentication yes
EscapeChar ^\
FallBackToRsh no
ForwardAgent yes
ForwardX11 yes
GatewayPorts yes
KeepAlive yes
RhostsAuthentication no
RhostsRSAAuthentication no
ServerAliveInterval 150
ServerAliveCountMax 3
SkeyAuthentication no
StrictHostKeyChecking no
TCPKeepAlive no
UsePrivilegedPort no
UseRsh no
Is that the correct config directive to disable this host ID checking? Is something else I have specified conflicting with it?
Not a great solution, but you could write a script that scrubs your known_host files of these IP ranges and then calls the standard ssh.
Or I could have it switch a symlink known as ~/.ssh/known_hosts between the real file at another name, and /dev/null. Both solutions have a risk that more than one ssh can be starting at the same time. I have a couple scripts that distribute files via rsync over ssh that run as many as 8 rsync instances in parallel. I have some heavy duty use, here.
From a man page for the ssh_config file: The option CheckHostIP specifies whether or not ssh will additionally check the host IP address that connect to the server to detect DNS spoofing. It's recommended that you set this option to yes.
If I remember correctly, the know_hosts file attaches the host name as well as the host IP address to the signature. This setting is used for computers that have the IP address changing, but keeping the same host name and signature. Not what you are having a problem with.
I still suggest a script that scrubs the specific IP addresses from know_hosts and logs them. This way you have an audit trail if needed. Always better to have too much information than not enough.
I also worry about your configuration if you are constantly having to reload the OS. I have had Linux production systems up for months and only rebooted because of kernel updates.
The constant loading of OS on the servers is for testing purposes. There are no issues there. It would be complicated to pre-load the host key (would have to rebuild all the distributions being tested). And about 60% of this involves firing up a distro (Fedora, Ubuntu (most often), Slackware) in a "try without installing" mode.
I am always connecting by IP address, not hostname. Most of the time it is by IPv6 link-local ( addresses beginning with "fe80::" ) So it shouldn't be testing a hostname. However, maybe it is testing the IP in the guise of a hostname (and with "CheckHostIP yes" might be checking it twice).
Still, I was pondering your script suggestion and decided to try this solution that works: a front end script for all "ssh" commands (called "ssh") that checks the target host to see if it is one of the local/private IPs. If so, it adds the option (-o 'UserKnownHostsFile /dev/null') on the command line, defeating all attempts to use the known_hosts file. That is working. It's sorta like scrubbing, right?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.