Support family coding workshops in Gloucestershire:

Avoid SSH host key checking for DHCP .local hosts

I do a lot of SSH work on machines inside my LAN which are allocated frequently-changing IP addresses through DHCP. Also, I often work with Raspberry Pis using different SD cards and different hostnames, addressed through multicast DNS (Zeroconf/Avahi) with different .local domain names. This means that I am persistently faced with:

aoakley@horus:~$ ssh pi@raspberrypi.local
The authenticity of host 'raspberrypi.local (' can't be established.
ECDSA key fingerprint is SHA256:B7nSvUMGhjPRGxHvxVtjouAHtxIh+sjXc5wX8v48sfQ.
Are you sure you want to continue connecting (yes/no)?

However, I also do a bit of work with vaguely important servers for which I would most definitely want to be warned if a man-in-the-middle attack was suspected. For example, an Amazon cloud web server.

So how can I configure my SSH client to test and warn me of a host key change if I'm SSHing to an external machine, but ignore that test if I'm SSHing to a local one? The answer is surprisingly simple - you can easily set this up in an .ssh/config file. To do this, from the terminal:

cat <<! >>~/.ssh/config
Host *.local
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Now, if I SSH to a domain name ending in .local , no host key checking will take place, and those host keys will be discarded, rather than being added to my known hosts file. Meanwhile, any domain names not ending in .local will continue to receive strict host key checking, warning me of potential p0wnership. This is one of those things which is incredibly simple once you know how, but incredibly useful to anyone who doesn't already know.

Duplicate .local host names on network

As I prep for Cotswold Jam, I tend to have several Raspberry Pi computers on the network, often with identical hostnames. The good news is that Avahi, Linux's Zeroconf daemon that handles multicast DNS, should check for existing .local domains before allocating one for itself. By default, if it finds that its hostname already exists as a .local domain, Avahi will suffix -2 or -3 etc. to the end of the domain name, before the .local top-level domain.

The Avahi daemon is installed by default on recent versions of the Raspberry Pi's Raspbian operating system, and similar Zeroconf services are installed by default on most other recent operating systems. If your system does not have Zeroconf installed - for example, some versions of Microsoft Windows - then installing Apple's Bonjour Print Services (which includes the Bonjour Zeroconf servicve) can be a lightweight way to achieve this.

Suppose you have several machines on your LAN running Avahi with identical hostnames raspberrypi :

...and so on

The internal hostname for each machine will remain as raspberrypi - Avahi does not change the /etc/hostname nor /etc/hosts files (bear in mind that on modern Linux distros, the hostname may be allocated as in /etc/hosts as well as appearing on its own in the /etc/hostname file).

Comments, errors and corrections to:

Public Domain - Andrew Oakley - 2017-07-17

Top - More Computing Articles - Article Index -