If you've seen this before, you know what I mean:

What I want to do is disable this for certain hosts in a specific IP address range. And I am accessing these host by IP address. The problem happens because they are always newly installed hosts. Sometimes the same machine is reinstalled many times. Sometimes it is running from DVD and there is no persistency of the host ID. Sometimes there is other IP address switching going on. But in all cases these are either link-local or private IP addresses, and always accessed by IP address.

Removing one host from ~/.ssh/known_hosts is a pain. It's always so much easier to just "rm -f ~/.ssh/known_hosts". But that loses all my other host IDs, so I'd rather not be doing that.

So disabling this for these IPs (all link-local or private IPs) would be the solution. According to "man ssh_config" I should just specify "CheckHostIP no" for these IP addresses (in a "Host" context for them).

But that does not work. I've done it like this:
Is that the correct config directive to disable this host ID checking? Is something else I have specified conflicting with it?

Not a great solution, but you could write a script that scrubs your known_host files of these IP ranges and then calls the standard ssh.

1 members found this post helpful.

Or I could have it switch a symlink known as ~/.ssh/known_hosts between the real file at another name, and /dev/null. Both solutions have a risk that more than one ssh can be starting at the same time. I have a couple scripts that distribute files via rsync over ssh that run as many as 8 rsync instances in parallel. I have some heavy duty use, here.

From a man page for the ssh_config file: The option CheckHostIP specifies whether or not ssh will additionally check the host IP address that connect to the server to detect DNS spoofing. It's recommended that you set this option to yes.

If I remember correctly, the know_hosts file attaches the host name as well as the host IP address to the signature. This setting is used for computers that have the IP address changing, but keeping the same host name and signature. Not what you are having a problem with.

I still suggest a script that scrubs the specific IP addresses from know_hosts and logs them. This way you have an audit trail if needed. Always better to have too much information than not enough.

I also worry about your configuration if you are constantly having to reload the OS. I have had Linux production systems up for months and only rebooted because of kernel updates.

The constant loading of OS on the servers is for testing purposes. There are no issues there. It would be complicated to pre-load the host key (would have to rebuild all the distributions being tested). And about 60% of this involves firing up a distro (Fedora, Ubuntu (most often), Slackware) in a "try without installing" mode.

I am always connecting by IP address, not hostname. Most of the time it is by IPv6 link-local ( addresses beginning with "fe80::" ) So it shouldn't be testing a hostname. However, maybe it is testing the IP in the guise of a hostname (and with "CheckHostIP yes" might be checking it twice).

Still, I was pondering your script suggestion and decided to try this solution that works: a front end script for all "ssh" commands (called "ssh") that checks the target host to see if it is one of the local/private IPs. If so, it adds the option (-o 'UserKnownHostsFile /dev/null') on the command line, defeating all attempts to use the known_hosts file. That is working. It's sorta like scrubbing, right?

Glad to be a sounding board for you. Good luck.