Comprehensive “don’t bother me” for SSH

Disabling host security for real. No more nagging.

Warning: Things I explain here are very dangerous. You can’t use this if you do not understand your threat model.

The problem

I’m developing a …thing. Sometime I break it for real and need to ask external provisioning system to reinstall my servers from scratch. Every reinstall causes ssh to complain about changed ssh keys.

For the long time I used a special script to update ssh keys for newly installed servers, but it was slow and annoying. Finally I’ve decided to make those hosts in my lab been completely insecure, and complain about nothing to me.

I wanted ssh to connect to specific servers no matter what ssh key host was presented.

Those lines aren’t rocket science and you shouldn’t use them for any address you connect through insecure net. Moreover, you should absolutely never pass you ssh key to those hosts, as it may become a real security issue.

The solution

Configuration snippet for ~/.ssh/config

Host insecure1
    User root
    Hostname 10.16.7.2
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    CheckHostIP no
    UpdateHostKeys no
    LogLevel quiet

The last line disables all warning, making it really silent.

Ansible tuning

The same set of lines for Ansible config file:

[ssh_connection]
ssh_args = -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o UpdateHostKeys=no -o LogLevel=quiet

Or for ansible_ssh_args:

ansible_ssh_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o UpdateHostKeys=no -o LogLevel=quiet'