Have you ever started a new Nerves project, wrote a fresh image to an SD card, booted up your board, and tried to SSH into your device just to be hit with the following error?
❯ ssh nerves.local
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:hiKqy0CbtYjrICjDUrOMBTlugxXImXjH/n2uX7V71Uc.
Please contact your system administrator.
Add correct host key in /Users/gus/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /Users/gus/.ssh/known_hosts:4
Host key for nerves.local has changed and you have requested strict checking.
Host key verification failed.
While this is absolutely a necessary feature for SSH to improve security, when
I'm just trying to connect to my Nerves-powered widgets on my local network, it
becomes annoying to constantly remove the offending key from the
~/.ssh/config
. And this is not just a one-off event - it happens every time
you re-flash a device's SD card, connect a new Nerves device to your network, or
run Nerves.FwupOps.factory_reset/0
.
So to solve that, we're going to configure SSH to ignore the remote host key for
nerves.local
. All it takes is the following two lines in your ~/.ssh/config
file:
Host nerves*.local
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
What this does:
Host nerves*.local
: this specifies we only want these configuration rules to apply to devices with the default Nerves hostnames, such asnerves.local
,nerves-a3c6.local
, etcStrictHostKeyChecking no
: this parameter automatically adds remote host keys to the known hosts file, without user interactionUserKnownHostsFile=/dev/null
: this specifies the user known hosts file to be the null file, i.e. your computer's trash can
By using these parameters in combination, SSH will automatically connect to your Nerves devices, then throw away the remote host fingerprint so you can connect to other Nerves devices later on.
Security warning: this opens you up to man-in-the-middle attacks on for
connections with the hostname nerves.local
. However, since these are almost
always devices on your local network, the risk should be low.