SSH known_hosts with a dynamic IP

known-hostssshssh-keystunnelingvpn

I have a machine behind a firewall. I connect to it remotely using a VPN tunneling with a port forward through ssh. To connect to the machine I use the external IP of the VPN and my personal and temporary assigned port. The command I use is:

ssh USER@VPN_IP -p PORT

Since VPN_IP and PORT change frequently I cannot get advantages of saving the host key in known_host to get rid of man man-in-the-middle attacks, but at the same time the host key is well known to me and I could provide it to ssh in order to use it for the current VPN_IP and PORT combination. Is that possible? How?

Best Answer

The known_hosts file is for providing these keys and there's no direct command line alternative (and it wouldn't be so handy, anyway). However, your goal is completely possible with the known_hosts file!

Read through man sshd's ssh_known_hosts file format.

When performing host authentication, authentication is accepted if any matching line has the proper key; either one that matches exactly or, if the server has presented a certificate for authentication, the key of the certification authority that signed the certificate.

It is possible to use wildcards in ~/.ssh/known_hosts (and /etc/ssh/ssh_known_hosts):

Each line in these files contains the following fields: markers (optional), hostnames, keytype, base64-encoded key, comment. The fields are separated by spaces.

Hostnames is a comma-separated list of patterns (* and ? act as wildcards); each pattern in turn is matched against the canonical host name (when authenticating a client) or against the user-supplied name (when authenticating a server). A pattern may also be preceded by ! to indicate negation: if the host name matches a negated pattern, it is not accepted (by that line) even if it matched another pattern on the line. A hostname or address may optionally be enclosed within [ and ] brackets then followed by ‘:’ and a non-standard port number.

It is possible to make a key trusted for

a network range, if known, e.g. for TEST-NET-2:
```
198.51.100.* ssh-rsa AAAAB3Nza...2iQ==
```
multiple ranges (e.g. all TEST-NETs) using comma-separated list:
```
192.0.2.*,198.51.100.*,203.0.113.* ssh-rsa AAAAB3Nza...2iQ==
```
or even when connecting anywhere:
```
* ssh-rsa AAAAB3Nza...2iQ==
```

If this key is not present, it will still warn you about the authenticity of the other keys, show the fingerprint and add it automatically, if you answer yes. The comparison is done line by line.

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Linux – How to Automatically Add New Host to known_hosts

Set the StrictHostKeyChecking option to no, either in the config file or via -o :

ssh -o StrictHostKeyChecking=no username@hostname.com

Best Answer

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Linux – How to Automatically Add New Host to known_hosts

Related Topic