I'm attempting to ssh to a remote host:
ssh host.example.com
I get the following:
The authenticity of host 'host.example.com (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is 62:db:31:0b:ce:e3:7b:a1:c7:0f:46:d1:7d:e5:48:10.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
I am using an ssh config in ~/.ssh/config:
Host host.example.com
User deployuser
HostName host.example.com
IdentityFile ~/.ssh/deployuser_key
The host is listed in /etc/ssh/ssh_known_hosts and the fingerprint matches. There is no entry in ~/.ssh/known_hosts.
If I accept the key, it is added to ~/.ssh/known_hosts. I am not sure what the no hostip for proxy command indicates and I would like to understand what is causing the problem.
When I run the ssh command with -vvv I can see that ssh is checking /var/lib/sss/pubconf/known_hosts and not /etc/ssh/ssh_known_hosts -- which I believe explains the unexpected behavior (if not the warning message). Once I added the host key to /var/lib/sss/pubconf/known_hosts (via FreeIPA), the connection proceeded without warnings or prompts.
When you connect to an SSH server without a proxy the IP address of the server is saved and stored into your known hosts file. When you are using a proxy, the client never gets the remote IP. The unhashed version of the known_hosts entry might look like this for a client not using a proxy.
It isn't an 'error', and barely even a useful warning. You can safely just ignore it.
I believe you can suppress the 'warning' by setting the
CheckHostIP nooption in addition toProxyCommand. This option basically tells ssh to skip the storing/checking of the IP of the remote.From what I am told setting this option really doesn't have any security impacts.
Adding these options to ProxyCommand helped me:
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null