Closed MikeHart85 closed 3 years ago
Tested just by manually trying to establish the connection in ipython, from jupyterhub2, the same way it is normally done here.
Result without this option:
In [4]: try_ssh = Popen(['ssh', ip, 'exit'], stdin=PIPE, stdout=PIPE)
In [5]: The authenticity of host '[redacted] ([redacted])' can't be established.
RSA key fingerprint is [redacted].
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.
In [5]:
Result with option:
In [5]: try_ssh = Popen(['ssh', '-o', 'StrictHostKeyChecking no', ip, 'exit'], stdin=PIPE, stdout=PIPE)
In [6]: Warning: Permanently added '[redacted]' (RSA) to the list of known hosts.
Subsequent calls no longer need the option.
Instead of a value of no
we could also use accept-new
. We'd end up with the same problem is the network card changed but the IP didn't though. So I think we want no
.
Just for reference, from man 5 ssh_config
:
StrictHostKeyChecking
If this flag is set to yes, ssh(1) will never automatically add
host keys to the ~/.ssh/known_hosts file, and refuses to con‐
nect to hosts whose host key has changed. This provides maxi‐
mum protection against man-in-the-middle (MITM) attacks, though
it can be annoying when the /etc/ssh/ssh_known_hosts file is
poorly maintained or when connections to new hosts are fre‐
quently made. This option forces the user to manually add all
new hosts.
If this flag is set to “accept-new” then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys. If this
flag is set to “no” or “off”, ssh will automatically add new
host keys to the user known hosts files and allow connections
to hosts with changed hostkeys to proceed, subject to some re‐
strictions. If this flag is set to ask (the default), new host
keys will be added to the user known host files only after the
user has confirmed that is what they really want to do, and ssh
will refuse to connect to hosts whose host key has changed.
The host keys of known hosts will be verified automatically in
all cases.
I think this may fix at least some of our JupyterHub woes.
REIP has changed all IPs and in a few cases some hosts or network cards have been replaced entirely. This is causing remotekernel to fail to connect, because
ssh
wants you to type "yes" to continue.Adding this option forces ssh to accept and proceed automatically.