Disable SSH host verification for subnet

Sometimes you have to SSH into different devices with the same IP address, for example when you flash routers with OpenWrt and want to do initial configuration. One annoyance with that is fingerprint checking, as the fingerprint will be different for every new device but the IP will stay the same.

We can easily disable this fingerprint checking for specific IP addresses or entire subnets. I’ll show you how!

Edit /etc/ssh/ssh_config with your favorite editor, like for example nano:

sudo nano /etc/ssh/ssh_config

And add your hosts, either specific IP addresses or networks using the asterisk for wildcard to the end of the file:

Host 192.168.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Host 172.18.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Host 172.17.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Host 172.16.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

This is an example configuration that will set StrictHostKeyChecking to no for each host that matches the Host entry, which means it won’t ask you to confirm the fingerprint. The UserKnownHostsFile is set to /dev/null which means the host you’re connecting to will be remembered nowhere, or simply put, forgotten.

Note that if you’re on a newer version of SSH you might have the directory /etc/ssh/ssh_config.d where you can simply put config files that end in .conf which will automatically be included. In that case, instead of writing to /etc/ssh/ssh_config you should create a new file like /etc/ssh/ssh_config.d/trusted_hosts.conf and insert your config there.

That’s all there is to it!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.