SSH into a box with a frequently changed IP

Question

I have some cloud boxes that change their IP frequently.

I ssh using the hostname but have to edit the known_hosts file every time the server launches because of this error message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is…

Aside from any security risks and such that are associated with what I want to do, is there a way to either ignore this error or overwrite the known_hosts file automatically such that I don't always have to edit it myself?

score 37 · Answer 1 · answered Oct 22 '10 at 09:45

37

Addition: you could try only disabling the CheckHostIP check for that name:

Host *
  [ global settings .. ]

Host very.dynamic.host
  CheckHostIP no

answered Oct 22 '10 at 09:45

Koos van den Hout

1,096

sysadmin1138 · Accepted Answer · 2022-05-02T21:19:44.807

29

Edit your .ssh/config file and add a config for this server:

Host frequent-rotation.example.com
    CheckHostIP no

CheckHostIP defaults to 'yes'. What this does is to do just the kind of check you're failing. Turning it off means it just trusts that the IP is variable, and will to key-checking against the hostname.

edited May 02 '22 at 21:19

answered Oct 21 '10 at 22:31

sysadmin1138

135,853

zaTricky · Answer 3 · 2020-12-21T16:27:12.447

A lot of the answers here will work - but technically they're workarounds. OpenSSH already has a built-in feature with this in mind: HostKeyAlias.

In your .ssh/config file, add HostKeyAlias <alias> to a host configuration:

host myserver.example.com
HostKeyAlias myserver.example.com

With this in place, connecting to server myserver.example.com will not use the hostname or the IP address for the local reference - it will always only use the given HostKeyAlias when connecting to that server. For me it makes sense to use the hostname - but you can of course use any alias you like.

Typical configs for myself for dynamic hosts are like so:

host myserver
hostname myserver.dyn.example.com
HostKeyAlias myserver.private.example.com

This can also be used in some obscure scenarios where you know a bunch of your servers have the same host keys (generally this should not be the case). This would then prevent duplicate entries. In future, if the keys legitimately change, you don't have to replace/delete multiple entries. Only one. Gitlab Geo servers are a good example of this.

Regarding clearing the known_hosts file, I would suggest looking at other questions/answers specifically related to maintaining/removing stale known_hosts entries. For example, see https://serverfault.com/questions/29262/how-to-manage-my-ssh-known-hosts-file ; I'm especially impressed by user1953828's answer, though I see it doesn't have many upvotes (yet). :)

Zv_oDD · Answer 4 · 2015-01-22T23:27:03.890

3

I use these dodgy options to work around this problem. (My host's public key is regenerated quite often. so this removes the IP and Key check)

ssh remoteServerName -l username -o "UserKnownHostsFile=/dev/null"

You can also just use this if the Key stays the same but the IP changes:

ssh remoteServerName -l username -o "CheckHostIP=no"

edited Jan 22 '15 at 23:27

answered Jan 22 '15 at 23:18

Zv_oDD

131
3

score 1 · Answer 5 · answered Oct 21 '10 at 22:31

1

You could put CheckHostIP no into your ~/.ssh/config file, but that leaves you open to spoofing attacks. If you're not concerned about that, then this setting should turn off the known_hosts check.

answered Oct 21 '10 at 22:31

Steven Monday

14,179

score 0 · Answer 6 · answered Oct 21 '10 at 22:29

0

You can set StrictHostKeyChecking=no in your ssh client configuration (i.e. The ~/ssh/config file on the machine that you connect from), to ignore the warning.

answered Oct 21 '10 at 22:29

hayalci

3,721

score 0 · Answer 7 · answered Jun 16 '17 at 14:49

I avoid adding the fingerprints to my known_hosts file when connecting to transient AWS machines. I use a command such as

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i secret.pem ec2-user@10.0.0.5

to connect to them. It will not ask you if you want to add the machine “to the list of known hosts.” Replace 10.0.0.5 by the IP address of your machine and secret.pem by the full path of your Ssh key. You will still get a warnings that the 10.0.0.5 has been added, but it has really vanished into /dev/null. I do this often enough that I set an alias in my ~/.profile

alias awsssh='ssh -i secret.pem -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

I reserve ssh ec2-user@example.com type commands for machines were I went to the trouble of checking the fingerprint.

SSH into a box with a frequently changed IP

7 Answers7

Linked