Question
Is there a way I can keep the strict host key checking behavior on but have it check only the server's key fingerprint (which is effectively already a unique identity for the host), without it also considering the host name/IP?
Problem
I have several personal mobile/roaming devices: phones, laptops, more phones being used as pocket computers, etc, and I routinely use SSH between them, using the IP address rather than host name.
Any time I end up on a new network (typically someone's home/office/public WiFi) or DHCP leases expire on an existing network, the IP addresses of those devices get shuffled around, causing one or both of the following situations:
The same host with an unchanged host key is in a different location - so
ssh
prompts me to confirm the same host key again for the new IP.A new host ends up on the same IP as a previously connected-to host (but the previous host is also still alive just now at a different IP) - so when trying to connect to the new host
ssh
treats it as the well known error that prevents connecting, and fixing the matter requires me to either manage multiple known hosts files with config options or to lose the known host key association for the previous host.
I would like some way to keep the automatic host key checking, but in my usecase it's meaningless to associate host name/IP to the server itself, so that:
The same host key showing up for a different name/IP should be accepted automatically as a known host.
A different host key at a previously known IP address should just cause the yes/no dialog for a new key.
Put another way, I'd like known_hosts
to be checked as if it was just a list of known keys, instead of a list of known name(/IP) <-> key tuples.
But, security
Just pre-empting this tangent:
There'd be no real security loss if I could get SSH to ignore the host name/IP and just decide if the key is either new or known, because the server's host key is already as secure of a unique identifier for the server as we can get, regardless of what name/IP that server is currently at.
The only difference in the event of a MitM would be that I would get the yes/no prompt instead of the connection obstinately aborting, but just the same I'd immediately know something was wrong since I would be connecting to a device whose host key I expect to be known.
Comments on other possible solution ideas
DNS doesn't apply, since we're talking shifting between different networks and often LAN private IP addresses, etc.
/etc/hosts
tweaks would just be a pain given how often I might change networks.
I don't use auto-discovery/self-advertising technologies like mDNS/ZeroConf/Bonjour because they add non-negligible complexity for setup, maintenance and security auditing to some of these small devices (on some of these I have to compile everything I want to use from source), and I'm just generally not a fan of my devices advertising themselves actively and constantly to the network at large.
A current manual-ish non-solution I have that at least mitigates the known_hosts
pain is to force ssh to use /dev/null
as the known hosts file - which means I just get prompted to verify the key every single time. But even with my good memory and ASCII key art to help, that doesn't scale and breaks automation, and I've been getting away with it only because the number of keys in play is very small for now.
I could patch ssh
to allow a KeyOnly
option for strict host key checking instead of just "yes" and "no", but I just don't know if I have that in me right now, especially since that would mean I'd have to either manage to get it merged upstream or build OpenSSH releases from source myself for even more devices.
I'm tempted to write a local service that keeps track of known host keys for ssh
, and creates a named Unix domain socket that ssh
can then use as the known hosts file instead of the normal plain-text file. This seems doable but requires some care to get right and robust.
Obviously turning off strict host key checking is a non-option. If I was going to do that I might as well just use rsh
to not pretend like there's any security left. We're not animals.
So I'm hoping that there's some clever way to just make this adjustment to OpenSSH's host key checking behavior to ignore host name IP and only check the key out of the box.