I have some cloud boxes that change their IP frequently.
I ssh using the hostname but have to edit the known_hosts file every time the server launches because of this error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is…
Aside from any security risks and such that are associated with what I want to do, is there a way to either ignore this error or overwrite the known_hosts file automatically such that I don't always have to edit it myself?
Addition: you could try only disabling the CheckHostIP check for that name:
Edit your
.ssh/configfile and add a config for this server:CheckHostIP defaults to 'yes'. What this does is to do just the kind of check you're failing. Turning it off means it just trusts that the IP is variable, and will to key-checking against the hostname.
A lot of the answers here will work - but technically they're workarounds. OpenSSH already has a built-in feature with this in mind:
HostKeyAlias.In your .ssh/config file, add
HostKeyAlias <alias>to a host configuration:With this in place, connecting to server
myserver.example.comwill not use the hostname or the IP address for the local reference - it will always only use the given HostKeyAlias when connecting to that server. For me it makes sense to use the hostname - but you can of course use any alias you like.Typical configs for myself for dynamic hosts are like so:
This can also be used in some obscure scenarios where you know a bunch of your servers have the same host keys (generally this should not be the case). This would then prevent duplicate entries. In future, if the keys legitimately change, you don't have to replace/delete multiple entries. Only one. Gitlab Geo servers are a good example of this.
Regarding clearing the known_hosts file, I would suggest looking at other questions/answers specifically related to maintaining/removing stale known_hosts entries. For example, see https://serverfault.com/questions/29262/how-to-manage-my-ssh-known-hosts-file ; I'm especially impressed by user1953828's answer, though I see it doesn't have many upvotes (yet). :)
I use these dodgy options to work around this problem. (My host's public key is regenerated quite often. so this removes the IP and Key check)
You can also just use this if the Key stays the same but the IP changes:
You could put
CheckHostIP nointo your~/.ssh/configfile, but that leaves you open to spoofing attacks. If you're not concerned about that, then this setting should turn off theknown_hostscheck.You can set StrictHostKeyChecking=no in your ssh client configuration (i.e. The ~/ssh/config file on the machine that you connect from), to ignore the warning.
I avoid adding the fingerprints to my
known_hostsfile when connecting to transient AWS machines. I use a command such asto connect to them. It will not ask you if you want to add the machine “to the list of known hosts.” Replace
10.0.0.5by the IP address of your machine andsecret.pemby the full path of your Ssh key. You will still get a warnings that the10.0.0.5has been added, but it has really vanished into/dev/null. I do this often enough that I set an alias in my~/.profileI reserve
ssh [email protected]type commands for machines were I went to the trouble of checking the fingerprint.Make known_hosts read-only.