If you have servers that change their IP address, you’ve probably already been used to the following SSH warning:
The authenticity of host '18.104.22.168 (22.214.171.124)' can't be established. ... Are you sure you want to continue connecting (yes/no)? yes
Besides from being annoying, it is also a security risk to blindly accept this warning and continue connecting. And be honest — almost none of us check the fingerprint in advance every time.
A common scenario for this use case is when you have an EC2 server in Amazon AWS which you temporarily stop and then start, in order to cut costs. I have a backup server which I use in this way.
In order to securely avoid this SSH warning and still be sure that you connect to your trusted server, you have to save the fingerprint in a separate file and update the IP address in it every time before you connect. Here are the connect commands, which you can also encapsulate in a Bash wrapper script:
IP=126.96.36.199 # use an IP address here, not a hostname FPFILE=~/.ssh/aws-backup-server.fingerprint test -e "$FPFILE" && perl -pi -e "s/^\S+ /$IP /" "$FPFILE" ssh -o StrictHostKeyChecking=ask -o UserKnownHostsFile="$FPFILE" root@$IP
Note that the FPFILE is not required to exist on the first SSH connect. The first time you connect to the server, the FPFILE will be created when you accept the SSH warning. Further connects will not show an SSH warning or ask you to accept the fingerprint again.
July 31, 2012 at 4:40 am
To me the SSH-integrated way seems superior:
ssh -o HostKeyAlias=hostkeyalias__server1 email@example.com
leads to known_hosts entries like this:
hostkeyalias__server1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtFqK9jGKh…
And noone cares about IP addresses any more. As usual, this “hostname” can be combined with real hostnames and IP addresses for the same key.
I consider it a bug that SSH does not tell you that the key already is in the known_hosts file but for a different IP address or hostname.
August 12, 2012 at 5:32 pm
That’s a great hint but it doesn’t work for me. Doing it like you described (“ssh -o HostKeyAlias=hostkeyalias__server1 firstname.lastname@example.org“) adds the following in the “known_hosts” file:
hostkeyalias__server1,188.8.131.52 ecdsa-sha2-nistp256 …key…
And if the IP address changed, then I get the following warning (though no confirmation is really required indeed):
Warning: Permanently added the ECDSA host key for IP address ‘184.108.40.206’ to the list of known hosts.
I’m using “OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010”.
P.S. Ditto for the SSH client behavior that it should be more clever when the key is already saved in the database.