Setting a default certificate for SSH authentication
Building a bunch of Raspberry Pi's led me to wanting a default authentication certificate and disabling the certificate check.
Building a bunch of Raspberry Pi's led me to wanting a default authentication certificate and disabling the certificate check.
As I build all the Raspberry PI's I wanted to disable the host authentication check and use a default SSL certificate. I built nearly 18 of them and it was getting brutal constantly deleting the known_hosts file and adding each new Pi into my config. I also wanted it to only apply to my domain name so it did not try and use my certificate outside of my network. I will not cover in detail adding the certificate at the same time you flash your Pi. For that I used pi-gen which will build a Raspberry Pi image that you can flash.
Some of the errors that you would see for the host checks would be something like this:
The authenticity of host 'raspberrypi.example.com (xxx.xxx.xxx.xxx)' can't be established.
ECDSA key fingerprint is SHA256:oN41psu6pnjJVyUUa5H+njN8KUPRZvAElNCczMcEI9Y.
Are you sure you want to continue connecting (yes/no)
Warning: Permanently added 'raspberrypi.example.com' (ECDSA) to the list of known hosts.
edward@raspberrypi.example.com password:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for playground1.c.lan has changed,
and the key for the corresponding IP address 172.16.40.45
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in C:\\Users\\edward/.ssh/known_hosts:4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:oN41psu6pnjJVyUUa5H+njN8KUPRZvAElNCczMcEI9Y.
Please contact your system administrator.
Add correct host key in C:\\Users\\edward/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\edward/.ssh/known_hosts:6
ECDSA host key for raspberrypi.example.com has changed and you have requested strict checking.
Host key verification failed.
To make this work I added the following to my ~/.ssh/config file. That is the file that ssh uses for configuration. Replace example.com with your domain name and yourusernameonyourlinuxsystem with the username on your Linux system. Also replace the identity file path, ~/.ssh/linux_id with the path your private key for your user.
Host *.example.com
User yourusernameonyourlinuxsystem
StrictHostKeyChecking no
IdentityFile ~/.ssh/linux_id
This configuration will only work if you used the same SSH keys for all your systems.
Conclusion
I am glad I did this. Coupling the same key on all Pi's and setting the default with the StrictHostKeyChecking no property in the configuration file made it considerably easier to build my Raspberry Pi's. And now I do not need to modify the config file with all my Pi's and other Linux systems. So much easier now.
Links
GitHub