Ignore REMOTE HOST IDENTIFICATION HAS CHANGED in web links
565 views
Skip to first unread message
daniel....@gmail.com
Oct 24, 2012, 2:58:13 PM10/24/12
to chromiu...@chromium.org
Hi All,
I have created a system which allows me easily to recreate virtual machines. A common scenario is to destroy a box and recreate it from scratch.
For those VMs I create links (e.g. chrome-extension://pnhechapfaindjhompbnflcldabbghjo/html/nassh.html#vagrant@XXX:XXX:XXX:XXX) on a web page for easy access. Here comes my problem: after I have recreated a box I will get following message from Secure Shell:
REMOTE HOST IDENTIFICATION HAS CHANGED
Is it possible to just ignore that the certificate has been changed. It would be great if I can could specify it in the URL.
thanks for your help,
Daniel
Robert Ginda
Oct 24, 2012, 4:17:51 PM10/24/12
to Daniel Kuffner, chromium-hterm
Sorry no, there's no way to trigger this from the URL. It seems like bad security to add it.
I was going to suggest importing an ssh config to disable host key checking, but that doesn't seem to be an option according to `man ssh_config`. The closest thing seems to be the ability to ask DNS for the host key, with VerifyHostKeyDNS. Depending on how much control you have over the vm environment, that's probably not a real option.
A few others have asked for functionality to make mass-host-management easier. I've filed http://code.google.com/p/chromium-os/issues/detail?id=35686 to track the request.
Rob.
Shawn McMahon
Oct 24, 2012, 4:59:18 PM10/24/12
to chromium-hterm
Not sure how applicable this is, but a common strategy outside the browser is:
1) configure "StrictHostKeyChecking no" in the ~/.ssh/config
2) make ~/.ssh/known_hosts not writeable by the user
Then you just have to ignore a non-fatal warning with every
connection. You give up a lot of security with this, but it's security
most people aren't actually using.
1) configure "StrictHostKeyChecking no" in the ~/.ssh/config
2) make ~/.ssh/known_hosts not writeable by the user
Then you just have to ignore a non-fatal warning with every
connection. You give up a lot of security with this, but it's security
most people aren't actually using.
Robert Ginda
Oct 24, 2012, 5:05:27 PM10/24/12
to Shawn McMahon, chromium-hterm
Unfortunately it's not possible to make known_hosts not writable in Secure Shell. You might be able to simulate it by setting UserKnownHostsFile to something. A file in a bogus directory may be enough, say "/not-a-real-directory/known_hosts". I don't think there is any automatically-create-a-missing-directory logic that would make this not fail. If there is, you could try an illegal file name instead.
Rob.
Daniel Kuffner
Oct 24, 2012, 5:05:47 PM10/24/12
to Robert Ginda, chromium-hterm
Thanks for the fast answer, I will look into to the VerifyHostKeyDNS solution.
Stupid question, how can I recover the Secure Shell from this state? I have three options (Reconnect, Choose, Exit)
but non of them allow me to remove the old certificate form the known host list. Maybe it is possible to offer a forth option which will remove the certificate and reconnects.
Robert Ginda
Oct 24, 2012, 5:15:51 PM10/24/12
to Daniel Kuffner, chromium-hterm
See this question in the FAQ:
http://git.chromium.org/gitweb/?p=chromiumos/platform/assets.git;a=blob;f=chromeapps/hterm/doc/faq.txt#l448Daniel Kuffner
Oct 24, 2012, 5:43:04 PM10/24/12
to Robert Ginda, chromium-hterm
I have created a bookmark to clear all known hosts, I think that is a valid temporary solution
I love java script bookmarks :)
javascript:term_.command.removeAllKnownHosts();
Reply all
Reply to author
Forward
0 new messages