Mac OSX SSH disable global known hosts to increase privacy

Edwardon

Why

Annoyance message every time when you connect with to self-hosted VPN machine with same intranet IP address.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

23:00:20:83:de:02:95:f1:e3:34:be:57:3f:cf:2c:e7.

Please contact your system administrator.

Add correct host key in /home/xahria/.ssh/known_hosts to get rid of this message.

Offending key in /home/xahria/.ssh/known_hosts:8

RSA host key for localhost has changed and you have requested strict checking.

Host key verification failed.

You may need to manually remove and connect it again with command below.

ssh-keygen -R [10.8.4.1]:2022 && ssh -i id_ed25519 [email protected] -p 2022

This may have been done to increase privacy, so that other administrators on the machine (or people who manage to compromise the machine or its backups in the future) can’t see where you’ve connected to unless they spy on the connection. For the known_hosts file, this is not a very good compromise between privacy and security: having to check the peer’s public key manually each time is error-prone (in addition to being inconvenient). Turning on the HashKnownHosts option gives a decent amount of privacy with a decent amount of functionality: with this option turned on, it’s impossible to directly list the entries in a known_hosts file, all you can do is guess what the entry might be and check your guess (and each check is somewhat costly, so you can’t brute-force a very large number of potential server names).

How to config your SSH agent not to write to file known_hosts

Remove existed known_hosts

rm ~/.ssh/known_hosts

Edit with sudo sudo nano /etc/ssh/sshd_config

## At the bottom of file
Host *
    SendEnv LANG LC_*
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    GlobalKnownHostsFile /dev/null

Edit ~/.ssh/config

HOST 10.8.3.1
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null