Protolux Electronics

Quick tip: configure SSH for all your Nerves devices

Learn how to quickly configure your SSH settings to prevent nerves devices from polluting your known hosts file

Have you ever started a new Nerves project, wrote a fresh image to an SD card, booted up your board, and tried to SSH into your device just to be hit with the following error?

❯ ssh nerves.local
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:hiKqy0CbtYjrICjDUrOMBTlugxXImXjH/n2uX7V71Uc.
Please contact your system administrator.
Add correct host key in /Users/gus/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /Users/gus/.ssh/known_hosts:4
Host key for nerves.local has changed and you have requested strict checking.
Host key verification failed.

While this is absolutely a necessary feature for SSH to improve security, when I'm just trying to connect to my Nerves-powered widgets on my local network, it becomes annoying to constantly remove the offending key from the ~/.ssh/config. And this is not just a one-off event - it happens every time you re-flash a device's SD card, connect a new Nerves device to your network, or run Nerves.FwupOps.factory_reset/0.

So to solve that, we're going to configure SSH to ignore the remote host key for nerves.local. All it takes is the following two lines in your ~/.ssh/config file:

Host nerves*.local
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null

What this does:

  • Host nerves*.local: this specifies we only want these configuration rules to apply to devices with the default Nerves hostnames, such as nerves.local, nerves-a3c6.local, etc
  • StrictHostKeyChecking no: this parameter automatically adds remote host keys to the known hosts file, without user interaction
  • UserKnownHostsFile=/dev/null: this specifies the user known hosts file to be the null file, i.e. your computer's trash can

By using these parameters in combination, SSH will automatically connect to your Nerves devices, then throw away the remote host fingerprint so you can connect to other Nerves devices later on.

Security warning: this opens you up to man-in-the-middle attacks on for connections with the hostname nerves.local. However, since these are almost always devices on your local network, the risk should be low.

🚀 Work with Us

At Protolux Electronics, we specialize in bringing your products to life with custom embedded hardware and software solutions. Whether you're building with Nerves, designing IoT devices, or refining electronics for production, our expertise can make it happen.

Ready to bring your project to life? Book a free consultation today →