SSH Host Key Checking

Posted on Monday, January 5th, 2009 at 11:16am by Rob Wilkerson

One of the things that’s always annoyed me, but not to such a degree that I’ve felt compelled to expend any effort “fixing” it, is the prompt that I get every time I SSH to a machine that I haven’t connected to before. It looks a little something like this:

The authenticity of host 'host.domain.tld (192.168.1.16)' can't be established.
RSA key fingerprint is 58:3d:dc:39:b3:5c:44:0b:ah:9b:7d:01:8e:f2:f8:77.
Are you sure you want to continue connecting (yes/no)?

Because it’s not a huge deal to type “yes” to create the connection, I’ve never cared enough to really look into it.

This morning, though, I was trying to do a pull from one of my git repositories only to find that the server signature had changed and my connection was terminated. As far as I know, the only way to re-establish a connection terminated for this reason is to remove that server from my list of known hosts. To do so I usually crack open my ~/.ssh/known_hosts file, find the line that begins with the host name of the server I’m trying to connect to and delete that line. The next time I try to connect, the server is added back to the file (after typing “yes” again).

Unfortunately, I was working on my Linux machine this morning and I got an unpleasant surprise when I opened my ~/.ssh/known_hosts file. Ubuntu, unlike every other Unix flavor I’ve worked with/in, encrypts the contents of that file. That meant I couldn’t find the line for the particular server whose signature changed for the purpose of surgical deletion. To reset that server as a known host, I’d have to delete the entire contents of the file. I connect to a number of servers and this has become a big file; I didn’t want to have to type “yes” that many times so a “fixing” the annoyance took on a greater urgency.

This is when it’s really handy to work with a Linux sys admin. He heard me expressing my annoyance in a semi-colorful manner and told me to just shut off the authentication prompt. Hearing the ability to kill two birds with one stone, I did a quick search, then cracked open my SSH config file (/etc/ssh/ssh_config) and edited the following line:

# StrictHostKeyChecking ask

I uncommented the line and changed the value to “no” and I’m no longer prompted when connecting to new machines. Now it’s safe to clear my known_hosts file without bother. I do still get a warning that a new host has been added to my file (which is nice), but no interaction is required.

, , 2 Comments

Subscribe2 Comments on SSH Host Key Checking

  1. Matt Schinckel said...

    On my OS X machine, it was /etc/ssh_config, not /etc/ssh/ssh_config.

    And, you can also set it in ~/.ssh/config, if you aren’t an admin on the machine you are working on. Without the # at the start, of course.

    ...on
  2. Rob Wilkerson said...

    Yep, I should have mentioned that. At the time I wrote this, I was working on my Ubuntu box so I wrote using that path. Thanks for clarifying.

    Actually, on my OS X machine (10.5.x) there are a couple of ssh_config files: one is in /private/etc/ssh_config (that’s the one I changed) and there’s another in /opt/local/etc/ssh/ssh_config. The latter directory is created and used by MacPorts installs, so I left it alone. I’m assuming MacPorts uses that SSH executable for downloading packages.

    ...on

Leave your own comment or...subscribe to those of others

Formatting may be applied to comments using Textile markup.