Today I was reviewing CVS commits to ports, and I saw this flow across my screen:
Edit ports/security/unssh/Makefile Add delta 1.4 2011.10.18.22.35.18 pav Edit ports/security/unssh/distinfo Add delta 1.3 2011.10.18.22.35.18 pav Delete ports/security/unssh/files/extra-patch-unssh.sh.in
I immediately wondered what unssh was. Apparently it’s a shell script that modifies (removes lines from) your ~/.ssh/known_hosts file when run with the same arguments as ssh.
This immediately made me think “why is this even necessary when OpenSSH has framework to already accomplish this task”? Just edit your ~/.ssh/config and enter the following:
Host gw StrictHostKeyChecking no
The only difference here is that this will never remove the outdated (“offending”) entry in ~/.ssh/known_hosts and you will continue to see the nasty man-in-the-middle warning every time you SSH to the host “gw”. However, you’ll be able to connect regardless of the warning.
There’s really no harm in ignoring the nastygram when connecting to a machine you know is going to change its SSH identity keys all the time. Really — the person SSH’ing there will already be aware of that (the fact they would go and find/use unssh is proof of that).
Sadly there is no -q equivalent in ssh_config(5), otherwise StrictHostKeyChecking no and Quiet yes would be a great combination for this exact situation.
