1

In ssh configuration directory, the file known_hosts stores for each server the (IP, fingerprint) couple. A server is trusted only if it matches both the elements of one of the couples in known_hosts.

I need to connect to a Nitrux 1.1.4 Linux server (based on kernel 4.14.15-041415-generic) which for several reasons is forced to use DHCP. Its IP may vary even several times per day. Each of these times, I must accept a new couple (IP, fingerprint), flooding known_hosts. This solution is also quite unuseful.

Is it possible to trust this host only considering its fingerprint, regardless of its IP?

As in a previous question, I am using these clients: OpenSSH_7.8p1, OpenSSL 1.1.1a-freebsd 20 Nov 2018 and OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017.

BowPark
  • 4,895

1 Answers1

1

A server is trusted when it matches the pattern before the fingerprint hash. ssh just adds both hostname and IP by default which requires to match both of them. Nothing holds you from editing known_hosts manually and replace IP with a mask (recommended) or remove IP at all (less secure way).

So the entry in known_hosts would look like:

hostname,192.168.1.* ssh-rsa AAAAhash==
another-hostname ssh-rsa AAAAhash==

both would work for you.

You can find more detailed info in man sshd (section: SSH_KNOWN_HOSTS FILE FORMAT)

rush
  • 27,403
  • Thanks! Can it still work when the known_hosts file is in this format? With ssh-keygen -H -F hostname I can read the interested line, but hostname and IP are still hashed, not in plain text. – BowPark May 27 '19 at 11:34
  • It looks like if you run ssh with -o 'CheckHostIP=no' when there is no entry in your known_hosts, it will add the entry without IP address. But keep in mind possible security consequences. If you want to keep the mask, looks like you need to hash it manually. I'm not sure about that. – rush May 27 '19 at 14:49
  • Maybe it deserves a dedicated question. Meanwhile, thank you for all the suggestions! – BowPark May 27 '19 at 14:57