Question

348

ssh: automatically accept keys

rated 0 times [ 348] [ 0] / answers: 1 / hits: 422271 / 1 Year ago, sun, november 13, 2022, 8:21:22

I've written this small utility script:

for h in $SERVER_LIST; do ssh $h "uptime"; done

When a new server is added to $SERVER_LIST, the script is stopped with:

The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established.

RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.

Are you sure you want to continue connecting (yes/no)?

I've tried yes:

for h in $SERVER_LIST; do yes | ssh $h "uptime"; done

with no luck.

Is there a way to parametrize ssh to automatically accept any new key?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

tonhorn

Add To Favorites

Follow

Total Points: 196

Total Questions: 118

Total Answers: 95

Location: Vanuatu

Member since Fri, May 13, 2022

2 Years ago

tonhorn questions

1 Cannot install docker-desktop on ubuntu 22.04

Tue, May 10, 22, 12:01, 2 Years ago

1 SGX disabled by BIOS in Ubuntu 22.04

Sat, Dec 18, 21, 06:23, 2 Years ago

1 How to install GEOS on Ubuntu 20.04

Thu, Jun 16, 22, 04:03, 2 Years ago

1 dependency not found

Fri, Apr 1, 22, 05:23, 2 Years ago

1 20.04 with I217-LM driverversion=3.8.7-NAPI won't take address

Tue, Jan 18, 22, 18:56, 2 Years ago

View All

answered 1 Year ago alkeake · Accepted Answer

Use the StrictHostKeyChecking option, for example:

ssh -oStrictHostKeyChecking=no $h uptime

This option can also be added to ~/.ssh/config, e.g.:

Host somehost

    Hostname 10.0.0.1

    StrictHostKeyChecking no

Note that when the host keys have changed, you'll get a warning, even with this option:

$ ssh -oStrictHostKeyChecking=no somehost uptime

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that a host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

31:6f:2a:d5:76:c3:1e:74:f7:73:2f:96:16:12:e0:d8.

Please contact your system administrator.

Add correct host key in /home/peter/.ssh/known_hosts to get rid of this message.

Offending RSA key in /home/peter/.ssh/known_hosts:24

  remove with: ssh-keygen -f "/home/peter/.ssh/known_hosts" -R 10.0.0.1

Password authentication is disabled to avoid man-in-the-middle attacks.

Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.

ash: uptime: not found

If your hosts are not often reinstalled, you could make this less secure (but more convenient for often-changing host keys) with the -oUserKnownHostsFile=/dev/null option. This discards all received host keys so it'll never generate the warning.

With Ubuntu 18.04, since [OpenSSH>=7.6] (https://www.openssh.com/txt/release-7.6), there's a new possibility:

StrictHostKeyChecking=accept-new

From man ssh_config :

If this flag is set to “accept-new” then ssh will automatically

add new host keys to the user known hosts files, but will not

permit connections to hosts with changed host keys.  If this flag

is set to “no” or “off”, ssh will automatically add new host keys

to the user known hosts files and allow connections to hosts with

changed hostkeys to proceed, subject to some restrictions.