SSH Host Key Checking

One of the things that’s always annoyed me, but not to such a degree that I’ve felt compelled to expend any effort “fixing” it, is the prompt that I get every time I SSH to a machine that I haven’t connected to before. It looks a little something like this:

The authenticity of host 'host.domain.tld (' can't be established.
RSA key fingerprint is 58:3d:dc:39:b3:5c:44:0b:ah:9b:7d:01:8e:f2:f8:77.
Are you sure you want to continue connecting (yes/no)?

Because it’s not a huge deal to type “yes” to create the connection, I’ve never cared enough to really look into it.

This morning, though, I was trying to do a pull from one of my git repositories only to find that the server signature had changed and my connection was terminated. As far as I know, the only way to re-establish a connection terminated for this reason is to remove that server from my list of known hosts. To do so I usually crack open my ~/.ssh/known_hosts file, find the line that begins with the host name of the server I’m trying to connect to and delete that line. The next time I try to connect, the server is added back to the file (after typing “yes” again).

Unfortunately, I was working on my Linux machine this morning and I got an unpleasant surprise when I opened my ~/.ssh/known_hosts file. Ubuntu, unlike every other Unix flavor I’ve worked with/in, encrypts the contents of that file. That meant I couldn’t find the line for the particular server whose signature changed for the purpose of surgical deletion. To reset that server as a known host, I’d have to delete the entire contents of the file. I connect to a number of servers and this has become a big file; I didn’t want to have to type “yes” that many times so a “fixing” the annoyance took on a greater urgency.

This is when it’s really handy to work with a Linux sys admin. He heard me expressing my annoyance in a semi-colorful manner and told me to just shut off the authentication prompt. Hearing the ability to kill two birds with one stone, I did a quick search, then cracked open my SSH config file (/etc/ssh/ssh_config) and edited the following line:

# StrictHostKeyChecking ask

I uncommented the line and changed the value to “no” and I’m no longer prompted when connecting to new machines. Now it’s safe to clear my known_hosts file without bother. I do still get a warning that a new host has been added to my file (which is nice), but no interaction is required.

Subscribe2 Comments on SSH Host Key Checking

  1. Matt Schinckel said...

    On my OS X machine, it was /etc/ssh_config, not /etc/ssh/ssh_config.

    And, you can also set it in ~/.ssh/config, if you aren’t an admin on the machine you are working on. Without the # at the start, of course.

  2. Rob Wilkerson said...

    Yep, I should have mentioned that. At the time I wrote this, I was working on my Ubuntu box so I wrote using that path. Thanks for clarifying.

    Actually, on my OS X machine (10.5.x) there are a couple of ssh_config files: one is in /private/etc/ssh_config (that’s the one I changed) and there’s another in /opt/local/etc/ssh/ssh_config. The latter directory is created and used by MacPorts installs, so I left it alone. I’m assuming MacPorts uses that SSH executable for downloading packages.