{"id":233,"date":"2012-11-30T20:55:37","date_gmt":"2012-12-01T04:55:37","guid":{"rendered":"http:\/\/www.lorrin.org\/blog\/?p=233"},"modified":"2013-03-25T23:00:08","modified_gmt":"2013-03-26T06:00:08","slug":"ssh-host-key-failures","status":"publish","type":"post","link":"https:\/\/www.lorrin.org\/blog\/2012\/11\/30\/ssh-host-key-failures\/","title":{"rendered":"Avoiding SSH host key verification failures"},"content":{"rendered":"

While working on a deployment process that automatically updated an ElasticIP to point to a new instance, I got to see a lot of these:<\/p>\n

Offending key in \/Users\/lhn\/.ssh\/known_hosts:45\r\nRSA host key for xxx.yyy.zzz has changed and you have requested strict checking.\r\nHost key verification failed.<\/pre>\n
Here is a sed one-liner to delete offending key (on line 45 in this case) from SSH’s known_hosts file.\u00a0 This is a reasonable thing to do when you know why the host key has changed and don’t expect it to do so very often.<\/p>\n
sed -i -e '45d' ~\/.ssh\/known_hosts<\/pre>\n
-i<\/tt> is for in-place editing and -e<\/tt> provides the expression, which is to d<\/tt>elete line 45<\/tt>.<\/p>\n
However, sometimes you expect the host key to change frequently and a better approach to not check or store the host key in the first place. That can be achieved as follows (kudos Peter Leung<\/a>)<\/p>\n
ssh -o UserKnownHostsFile=\/dev\/null -o StrictHostKeyChecking=no user@some.host<\/pre>\n
This tells SSH to use always-empty \/dev\/null<\/tt> as its place to record host keys and to not complain when connecting to host with an unknown key. Thus no host keys are stored or checked.<\/p>\n
At the risk of stating the obvious, this does of course side-step SSH’s ability to protect you from man-in-the-middle attacks<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
While working on a deployment process that automatically updated an ElasticIP to point to a new instance, I got to see a lot of these: Offending key in \/Users\/lhn\/.ssh\/known_hosts:45 RSA host key for xxx.yyy.zzz has changed and you have requested strict checking. Host key verification failed. Here is a sed one-liner to delete offending key […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[52],"tags":[],"_links":{"self":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/233"}],"collection":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/comments?post=233"}],"version-history":[{"count":8,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/233\/revisions"}],"predecessor-version":[{"id":255,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/233\/revisions\/255"}],"wp:attachment":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/media?parent=233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/categories?post=233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/tags?post=233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}