The SSH Who Cried Wolf

Feb 2, 2018

Disclaimer: This article lowers the security of your SSH client connection and leaves you vulnerable to man in the middle attacks. For that I take no responsibility. If you follow the steps below you do so at your own risk.

TLDR

Add the following to your ~/.ssh/config file to make SSH shut up:

Host *
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    LogLevel ERROR

Wolf! Wolf! The wolf is performing a MITM attack!

Have you ever seen this message when attempting to SSH somewhere?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

In theory I should investigate if there is indeed a MITM attack. In practice I get this message so often so I don't care. It can happen without a MITM attack for a number of reasons. If you reinstall the machine behind the IP, swap the machine behind the IP, or simply have dynamically assigned IPs that vary over time.

Because of this we have a cry wolf issue where the message can't be taken seriously and rather just annoy in day to day work. Bundled with the glorious cry wolf feature we also have these messages:

The authenticity of host '192.168.0.100 (192.168.0.100)' can't be established.
RSA key fingerprint is 3f:1b:f4:bd:c5:aa:c1:1f:bf:4e:2e:cf:53:fa:d8:59.
Are you sure you want to continue connecting (yes/no)?

Warning: Permanently added '192.168.0.100' (ECDSA) to the list of known hosts.

So let's find a way to make it shut up.

Nobody believes a liar ... even when he is telling the truth!

The salvation can be had by adding four lines to the ~/.ssh/config file. If that file does not exist you may create it manually like this:

cd ~.ssh
touch config
chmod 600 config

Then add the following four lines in there:

Host *
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    LogLevel ERROR

• Host * means that we are changing configuration for all hosts and not a specific few.
• StrictHostKeyChecking no will allow us to connect hosts whose host key has changed.
• UserKnownHostsFile /dev/null ensures we never store any known hosts and their keys.
• LogLevel ERROR suppresses the now redundant known host warning messages.

Sources

• https://stackoverflow.com/questions/3663895/ssh-the-authenticity-of-host-hostname-cant-be-established
• https://unix.stackexchange.com/questions/110557/force-ssh-to-not-to-print-warnings
• https://linuxcommando.blogspot.se/2008/10/how-to-disable-ssh-host-key-checking.html
• https://man.cx/ssh_config