[Solved] known_hosts for sshd how to ignore IP address

bcook · 2020-05-28 21:30:23

I have a gitea server running at the house and backup various systems and such. I recently went through aur:ssh-audit (if you haven't I highly recommend that you do..) and cleaned up things. I then found that my ssh keys for gitea were tied to my ddns hostname (good) and my (at the time) dynamic ip (bad)..

ex:

github.com,140.82.113.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

if github changes their IP it will prompt me to accept the key.. but if the session is not interactive; the git push will not happen.. until the key is updated/satisified again..

My thought was to remove the IP from the known_hosts..

But when I remove the IP and ssh into the remote host.. I get this:

Warning: Permanently added the ED25519 host key for IP address '192.0.0.254' to the list of known hosts.

and in ~/ssh/known_hosts I have two host entries one by name, one by IP..

ssh -v remote.host.name

8< -- SNIP -- >8

debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to blah.tech.pkcsd.org:22 as 'bcook'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:8< -- SNIP -- >8
debug1: Host 'remote.host.name' is known and matches the ED25519 host key.
debug1: Found key in /home/user/.ssh/known_hosts:36

8< -- SNIP -- >8

Line 36 is the remote.host.name fqdn and not the IP..

But when remote.host.name gets another dynamic IP it will prompt to save that key attached to that new ip *again*, right?

Anyway to not have that?

Thank you in advance for your time and patience..

Last edited by bcook (2020-05-28 22:36:43)

loqs · 2020-05-28 22:21:06

Have you tried disabling host IP checking for that server in ~/ssh_config?

Host remote.host.name
    CheckHostIP no

bcook · 2020-05-28 22:36:14

Thank you.

works both in ~/.ssh/config or /etc/ssh/ssh_config

Looking into the global setting..

CheckHostIP
If set to yes (the default), ssh(1) will additionally check the host IP address in the known_hosts file.
This allows it to detect if a host key changed due to DNS spoofing and will add addresses of destination
hosts to ~/.ssh/known_hosts in the process, regardless of the setting of StrictHostKeyChecking. If the
option is set to no, the check will not be executed.

Looks like it will literally just *not* dns check the host..

(again another plug for ssh-audit from aur..)

Thank you for sharing.

fukawi2 · 2020-05-28 23:53:13

@bcook, please use code formatting tags in future: https://bbs.archlinux.org/help.php#bbcode

Arch Linux

#1 2020-05-28 21:30:23

[Solved] known_hosts for sshd how to ignore IP address

#2 2020-05-28 22:21:06

Re: [Solved] known_hosts for sshd how to ignore IP address

#3 2020-05-28 22:36:14

Re: [Solved] known_hosts for sshd how to ignore IP address

#4 2020-05-28 23:53:13

Re: [Solved] known_hosts for sshd how to ignore IP address

Board footer