Skipping SSH host key check when connecting to live systems

The (admittedly minor) problem

If you frequently use Linux live images and interact with them through ssh, you may run into an annoying problem where ssh refuses to connect due to a failed host key check:

$ ssh user@10.10.0.222
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:ii8Gf/L/y7duh+Ly1Ch4fjE8XA8LeL31Qtu/PfNt9NQ.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:202
  remove with:
  ssh-keygen -f '/home/user/.ssh/known_hosts' -R '10.10.0.222'
Host key for 10.10.0.222 has changed and you have requested strict checking.
Host key verification failed.

This happens because of the known_hosts files, where ssh keeps a list of known, "trusted" hosts. These files contain the addresses and public keys of all the hosts that you have connected to in the past.

Early during the connection process, ssh checks the target system's address and public key against the list of trusted hosts. If there is a discrepancy, the connection is aborted. The fact that live systems don't have static keys, combined with IP address reuse, means that key check errors will eventully start to happen. The errors are thankfully very easy to fix, but wouldn't it be nice if they could be avoided altogether?

The solution

Warning! This solution is not recommended for general use. The host key check is an important step in verifying the identity of a remote system. If this check is disabled, you must verify the remote host's identity using other methods.

When connecting to a live system, a command like this can be used:

$ ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@machine

The command line shows three options in use. Together they temporarily disable the key checking process. Normally, two files are used to source host key information: the user's own list, and a system-wide "global" list. The user's list is checked first, then the global list is checked if no matches were found. Setting GlobalKnownHostsFile and UserKnownHostsFile to /dev/null effectively disables these checks, because /dev/null always reads empty. This also means that no new keys are saved during the connection process, avoiding polluting your actual known hosts file with entries that point to systems that have changing keys. Setting StrictHostKeyChecking to no allows connecting to hosts not found in the (now empty) known hosts list. Only the UserKnownHostsFile option is usually required, but the other two are included for thoroughness.

The options are not limited to the ssh program. They can also be used with other ssh-based utilities, like sshfs and scp:

$ sshfs -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@machine: /mnt

$ scp -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@machine:test.file /tmp/test.file

If you need these options frequently and don't want to type them out every time, here are two ways you can access them easily.

For a single user using bash shell

If you use bash as your login shell, you can append these lines to your .bashrc file:

alias tssh='ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
alias tsshfs='sshfs -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
alias tscp='scp -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

You can now access tssh, tsshfs, and tscp in your terminal. You may have to log out and log back in to enable these. The use of regular ssh programs is unaffected.

As systemwide executables

Save the following script as /usr/local/bin/tssh. You'll have to do that as root. The script provides temporary key check disabling for ssh, sshfs and scp.

#!/bin/sh

case ${0##*/} in
	tsshfs)
		e=sshfs
		;;
	tscp)
		e=scp
		;;
esac

${e:-ssh} -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
exit $?

Set file permissions; executable by all, writable only by root:

$ sudo chmod 755 /usr/local/bin/tssh

Create symlinks to enable tsshfs and tscp:

$ sudo ln -s /usr/local/bin/tssh /usr/local/bin/tsshfs
$ sudo ln -s /usr/local/bin/tssh /usr/local/bin/tscp

Tssh, tsshfs, and tscp are now available as programs to all users on the system. The use of regular ssh programs is unaffected.