9

ssh clients (by default, at least in Ubuntu 18.04 and FreeBSD 12) always check if server's key fingerprint is in the known_hosts file.

I have a host in the LAN which has dual boot; both the OSs use the same static IP. I would like to connect through ssh to both of them, without encountering errors.

This obviously violates the checks performed on known_hosts: if I accept one fingerprint, it will be related to the host IP; when OS is switched, the fingerprint changes, while the IP is the same, and I need to manually delete it in known_hosts before being able to connect again. I would like that one fingerprint, or the other, is accepted when considering that IP.

Is there a client side solution to overcome this issue?

I am using OpenSSH_7.8p1, OpenSSL 1.1.1a-freebsd 20 Nov 2018 and OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017.

Note: I do not want "no check" over the server's fingerprint. I am just wondering if it is possible to relate two alternative fingerprints (not just one) to server's IP address.

BowPark
  • 4,895
  • 1
    May I ask why you have ruled out server side solutions?. Wouldn't the easiest way be to try to make both OS use the same host key? – Philip Couling May 27 '19 at 10:05
  • @PhilipCouling Partly for ease of use: one of the OSs is Windows. Partly to not transfer keys from a host to another, which is a sometimes discouraged practice. But the main reason is: I would like to obtain some degree of flexibility in ssh client configuration, if it is possible. – BowPark May 27 '19 at 11:20

2 Answers2

6

Your problem is that host keys are just that, they are a key for the host. There is really only supposed to be one per host. Of course there are several because there are several types of key, but I would avoid relying on key types to give you multiple acceptable keys for a single host.

On the server side

My first suggestion is that you consider carefully if you really want to do this on the client side. You could treat these two OS as the same host and simply copy the host key from one to the other.

If you copy /etc/ssh/ssh_host* from OpenSSH you can use these on other operating systems. Although they might need some reformatting depending on the SSH server you run.

But ...

May I ask why you have ruled out server side solutions?. Wouldn't the easiest way be to try to make both OS use the same host key? – Philip Couling

@PhilipCouling Partly for ease of use: one of the OSs is Windows. Partly to not transfer keys from a host to another, which is a sometimes discouraged practice. But the main reason is: I would like to obtain some degree of flexibility in ssh client configuration, if it is possible. – BowPark

I think that what you are looking for is a way to treat the two OS as different hosts even though they share an IP and port number.

On the client side

Perhaps the most reliable way will be to set host specific configuration for each OS. Edit (or create) ~/.ssh/config to add:

Host windows.dualbootbox
    Hostname 192.168.10.20
    UserKnownHostsFile ~/.ssh/windows.dualbootbox.known_hosts

Host ubuntu.dualbootbox
    Hostname 192.168.10.20
    UserKnownHostsFile ~/.ssh/ubuntu.dualbootbox.known_hosts

You don't need to specify Hostname if each Host already resolves to an IP. See man ssh_config for more configuration options.

With the above configuration you can then either:

ssh user@windows.dualbootbox
ssh user@ubuntu.dualbootbox
Community
  • 1
Philip Couling
  • 18,733
  • 1
    This seems a very smart solution. Thanks for all your considerations. I can try to transfer (and adapt, if necessary) keys from one OS to the other one. However, this client side configuration offers quite exactly what I was looking for, without such a transfer. – BowPark May 28 '19 at 09:49
1

Many ways to do this, one way is use StrictHostKeyChecking no while doing ssh to your hosts, it will not make any entry in known_hosts.

ssh -o StrictHostKeyChecking=no <ip>

Or

ssh -o UserKnownHostsFile=/dev/null <ip>

Or you can alter you .ssh/config file according to your need.

asktyagi
  • 675
  • 2
    Thanks, but this would avoid any check on server's fingerprint. I edited the question to be more clear about the desired solution, if it exists. – BowPark May 27 '19 at 09:59
  • 1
    I that case just skip it for that server from .ssh/config, does it make sense? – asktyagi May 27 '19 at 10:00
  • 1
    Sorry, can you please rephrase your suggestion? I can't understand. – BowPark May 27 '19 at 10:03
  • 1
    Sure, say you want to give StrictHostKeyChecking for specific host, do like below in your .ssh/config

    Host <your ip> StrictHostKeyChecking no

    So when ever you try to do ssh to above host it take StrictHostKeyChecking as no.

     – asktyagi May 27 '19 at 10:06
  • 1
    Ok, I got your point. But, as I was saying, this would prevent the ssh client from checking the key of the server. I would like the client to check the key: and (if possible) two values for the key should be acceptable, not just one. – BowPark May 27 '19 at 11:18
  • 1
    At some point you have to separate identification for both if you want to keep known_hosts entry, so you try adding one more ethernet with different ip and use for ssh access(so it will get different key in known_hosts) or give 2 type of keys RSA/DSA and use it(so it will get different key in known_hosts again but in this case use have to pass the different private key). – asktyagi May 27 '19 at 12:42