Securely avoid SSH warnings for changing IP addresses

If you have servers that change their IP address, you’ve probably already been used to the following SSH warning:

The authenticity of host '176.34.91.245 (176.34.91.245)' can't be established.
...
Are you sure you want to continue connecting (yes/no)? yes

Besides from being annoying, it is also a security risk to blindly accept this warning and continue connecting. And be honest — almost none of us check the fingerprint in advance every time.

A common scenario for this use case is when you have an EC2 server in Amazon AWS which you temporarily stop and then start, in order to cut costs. I have a backup server which I use in this way.

In order to securely avoid this SSH warning and still be sure that you connect to your trusted server, you have to save the fingerprint in a separate file and update the IP address in it every time before you connect. Here are the connect commands, which you can also encapsulate in a Bash wrapper script:

IP=176.34.91.245 # use an IP address here, not a hostname
FPFILE=~/.ssh/aws-backup-server.fingerprint

test -e "$FPFILE" && perl -pi -e "s/^\S+ /$IP /" "$FPFILE"
ssh -o StrictHostKeyChecking=ask -o UserKnownHostsFile="$FPFILE" root@$IP

Note that the FPFILE is not required to exist on the first SSH connect. The first time you connect to the server, the FPFILE will be created when you accept the SSH warning. Further connects will not show an SSH warning or ask you to accept the fingerprint again.

About these ads

2 thoughts on “Securely avoid SSH warnings for changing IP addresses

  1. To me the SSH-integrated way seems superior:
    ssh -o HostKeyAlias=hostkeyalias__server1 user@server1.example.com
    leads to known_hosts entries like this:
    hostkeyalias__server1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtFqK9jGKh…
    And noone cares about IP addresses any more. As usual, this “hostname” can be combined with real hostnames and IP addresses for the same key.

    I consider it a bug that SSH does not tell you that the key already is in the known_hosts file but for a different IP address or hostname.

    • That’s a great hint but it doesn’t work for me. Doing it like you described (“ssh -o HostKeyAlias=hostkeyalias__server1 root@46.51.142.222“) adds the following in the “known_hosts” file:
      hostkeyalias__server1,46.51.142.222 ecdsa-sha2-nistp256 …key…

      And if the IP address changed, then I get the following warning (though no confirmation is really required indeed):
      Warning: Permanently added the ECDSA host key for IP address ‘46.54.14.29’ to the list of known hosts.

      I’m using “OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010″.

      P.S. Ditto for the SSH client behavior that it should be more clever when the key is already saved in the database.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s