Thanks for your response.

Brian Torbich btorbich-at-voicemarketing.net |Lists| wrote:
> Maybe you are misunderstanding how this works and what it is supposed
> to do....

Perhaps. And perhaps you are misunderstanding my question.

> If you do allow it to save to a real known_hosts file it should no
> longer ask you or warn you about "man in the middle" attacks because
> you do have "StrictHostKeyChecking=no". As that is the whole purpose
> of that is to warn you when a host has changed and there is a
> possible "man in the middle" attack.
>
> I do not know of a way to avoid that initial adding to the
> "known_hosts" file. But if you allow it to save to a regular
> known_hosts file, you should only have to hit (y) 1 time to add that
> initial known_hosts signature and that is it. So, even if the host
> changes, it won't matter. It shouldn't prompt you again to add it
> again or warn you that it has changed since you have
> "StrictHostKeyChecking=no".

For the fun of it, I edited my regular ~/.ssh/known_hosts file, and
assigned a wrong fingerprint to a host.

Running with "StrictHostKeyChecking=no" only gets me 24 lines of warning
output containing

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

and especially:

Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid
man-in-the-middle attacks.
Agent forwarding is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.

So it *does* actually log in, but uhm, the output is much worse than the
one warning I now get, and this is not what I want. I would like to
gracefully disable key checking entirely so I get zero lines of warnings.

Peter
--
Peter Valdemar Mørch
http://www.morch.com

[ reply ]