eby
Posts: 22
Joined: Wed Nov 28, 2012 11:27 am

ssh - omit remote host identification for RPi

Mon Sep 27, 2021 3:03 pm

Here is the scenario, i have few different operating systems on micro-sd cards, ip address reservation is enabled for raspberry pi. But when i boot from another OS, the remote host identification change and have to remove fingerprint with,

Code: Select all

~$ ssh-keygen -f "~/.ssh/known_hosts" -R "192.168.1.3"
I tend to boot other OS few time a day.

Is there a way to disable sending fingerprinting from RPi or disable checking host identification on local host when doing ssh to RPi alone ?.

Thanks.

User avatar
thagrol
Posts: 5773
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: ssh - omit remote host identification for RPi

Mon Sep 27, 2021 3:26 pm

Start by reading the output from

Code: Select all

man ssh
and

Code: Select all

man sshd
Then try a forum and web search.
I'm a volunteer. Take me for granted or abuse my support and I will walk away

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

swampdog
Posts: 780
Joined: Fri Dec 04, 2015 11:22 am

Re: ssh - omit remote host identification for RPi

Tue Sep 28, 2021 10:54 am

I have a couple of trivial scripts for this (because I can never remember the options)..

Code: Select all

foo@sdu ~/usr/src/rpi/rpinew $ cat ~/bin/sshi
#!/bin/bash
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"

foo@sdu ~/usr/src/rpi/rpinew $ cat ~/bin/scpi
#!/bin/bash
scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"

eby
Posts: 22
Joined: Wed Nov 28, 2012 11:27 am

Re: ssh - omit remote host identification for RPi

Wed Sep 29, 2021 8:22 am

swampdog wrote:
Tue Sep 28, 2021 10:54 am
I have a couple of trivial scripts for this (because I can never remember the options)..

Code: Select all

foo@sdu ~/usr/src/rpi/rpinew $ cat ~/bin/sshi
#!/bin/bash
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"

foo@sdu ~/usr/src/rpi/rpinew $ cat ~/bin/scpi
#!/bin/bash
scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
Thank you very much. :D :D :D

User avatar
jojopi
Posts: 3538
Joined: Tue Oct 11, 2011 8:38 pm

Re: ssh - omit remote host identification for RPi

Wed Sep 29, 2021 11:05 am

Without host key checking, SSH provides no security against active attacks.

The proper solution is to have a separate stanza in ~/.ssh/config for each OS:

Code: Select all

host buster64
  hostname 192.168.1.3
  port 22
  hostkeyalias buster64
  user pi

host bullseye32
  hostname 192.168.1.3
  port 22
  hostkeyalias bullseye32
  user pi
Same hostname and port; different keys.

swampdog
Posts: 780
Joined: Fri Dec 04, 2015 11:22 am

Re: ssh - omit remote host identification for RPi

Wed Sep 29, 2021 1:09 pm

Yeah, re-reading the OP's question, that is the better way. I use my method when I'm burning sdcards in one rpi destined to go in another rpi.

User avatar
Milliways
Posts: 746
Joined: Fri Apr 25, 2014 12:18 am
Location: Sydney, Australia

Re: ssh - omit remote host identification for RPi

Thu Sep 30, 2021 4:29 am

I have about 20 SD Cards and many Pi, all of which can boot from any SD (assuming the Pi model supports the OS).

I do this by the simple expedient of ensuring all SD have the same host keys (which I refresh from time to time).

After a fresh OS install I backup

Code: Select all

#PBackup ssh host keys
cd /etc/ssh
sudo tar czf /home/pi/SshKeys.tgz *key *.pub moduli

#PBackup ssh config
cd /etc/ssh
sudo tar czf /home/pi/SshConf.tgz *config
Then restore on others

Code: Select all

#Replace ssh host keys  (script sshReplace)
cd /etc/ssh
sudo tar xzf /home/pi/SshKeys.tgz

bls
Posts: 1750
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: ssh - omit remote host identification for RPi

Sun Oct 10, 2021 4:53 pm

I have a couple of Pis that I use exclusively for testing. I was doing the ssh-keygen -R thing until this thread, which caused me to have a look at doing away with that.

For these test Pis I ended up with this stanza in my ~/.ssh/config

Code: Select all

Host p82 p83
     StrictHostKeyChecking no
     UpdateHostKeys no
     UserKnownHostsFile /dev/null
     LogLevel quiet
The UseKnownHostsFile is correct for these hosts, but causes ssh to emit "Warning: Permanently added 'hostname,ip.ad.dd.rr' (ECDSA) to the list of known hosts.blah blah" The LogLevel quiet eliminates this (in this case) pointless message.

This works as intended for these two test systems.

Edit: Thanks to everyone in this thread for the details and inspiration :)
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

Return to “Advanced users”