ssh: automatically accept keys

Question

I've written this small utility script:

for h in $SERVER_LIST; do ssh $h "uptime"; done

When a new server is added to $SERVER_LIST, the script is stopped with:

The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established.
RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?

I've tried yes:

for h in $SERVER_LIST; do yes | ssh $h "uptime"; done

with no luck.

Is there a way to parametrize ssh to automatically accept any new key?

score 365 · Accepted Answer · edited Nov 08 '22 at 02:16

Use the StrictHostKeyChecking option, for example:

ssh -oStrictHostKeyChecking=no $h uptime

This option can also be added to ~/.ssh/config, e.g.:

Host somehost
    Hostname 10.0.0.1
    StrictHostKeyChecking no

Note that when the host keys have changed, you'll get a warning, even with this option:

$ ssh -oStrictHostKeyChecking=no somehost uptime
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
31:6f:2a:d5:76:c3:1e:74:f7:73:2f:96:16:12:e0:d8.
Please contact your system administrator.
Add correct host key in /home/peter/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/peter/.ssh/known_hosts:24
  remove with: ssh-keygen -f "/home/peter/.ssh/known_hosts" -R 10.0.0.1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
ash: uptime: not found

If your hosts are not often reinstalled, you could make this less secure (but more convenient for often-changing host keys) with the -oUserKnownHostsFile=/dev/null option. This discards all received host keys so it'll never generate the warning.

With Ubuntu 18.04, since [OpenSSH>=7.6] (https://www.openssh.com/txt/release-7.6), there's a new possibility:

StrictHostKeyChecking=accept-new

From man ssh_config :

If this flag is set to “accept-new” then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys.  If this flag
is set to “no” or “off”, ssh will automatically add new host keys
to the user known hosts files and allow connections to hosts with
changed hostkeys to proceed, subject to some restrictions.

score 153 · Answer 2 · edited Oct 18 '16 at 19:01

You can use the following command to add the fingerprint for a server to your known_hosts

ssh-keyscan -H <ip-address> >> ~/.ssh/known_hosts
ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts

NOTE: Replace < ip-address > and < hostname > with the IP and dns name of the server you want to add.

The only issue with this is that you will end up with some servers in your known_hosts twice. It's not really a big deal, just mentioning. To ensure there are no duplicates, you could remove all the servers first by running the following first:

ssh-keygen -R <ip-address>
ssh-keygen -R <hostname>

So you could run:

for h in $SERVER_LIST; do
    ip=$(dig +search +short $h)
    ssh-keygen -R $h
    ssh-keygen -R $ip
    ssh-keyscan -H $ip >> ~/.ssh/known_hosts
    ssh-keyscan -H $h >> ~/.ssh/known_hosts
done

One thing to keep in mind when removing just to re-add, you are essentially removing the security of verifying the fingerprint. So you would definitely not want to run this script before each execution of your utility script.

score 32 · Answer 3 · edited Nov 26 '14 at 00:33

32

I'm a bit late with this response, but the sensible way would be to do a ssh-keyscan on the new machine before you run the uptime gathering.

ssh-keyscan  <newhost> >> ~/.ssh/known_hosts

Disabling the sanity check for convenience sake sounds like a bad plan, even if you think you're totally in control of the environment.

edited Nov 26 '14 at 00:33

Fabby

35,017

answered Nov 24 '14 at 19:47

tink

528
9
16

score 7 · Answer 4 · edited Feb 06 '20 at 06:32

7

Add this entry into ~/.ssh/config file

Host *
    StrictHostKeyChecking no

If it complains about access permission for ~/.ssh/config, then try

$ chmod 644 ~/.ssh/config

edited Feb 06 '20 at 06:32

Kevin Bowen

20,055
57
82
84

answered Feb 06 '20 at 06:14

Samarth S

171
1
2

score 3 · Answer 5 · answered Apr 09 '22 at 03:21

3

I tried the approaches suggested in this thread. Best fit to my needs is summarized below: ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 -i <filepath to .pem RSA key> <user>@<ip>

answered Apr 09 '22 at 03:21

MiKK

131

Waqas Khan · Answer 6 · 2021-05-22T12:44:54.610

2

In order to add a list of servers automatically we can do below:

Add servers IP in file servers-list

The IPs should be added in below format.

Output of cat servers-list

123.1.2.3
124.1.2.4
123.1.2.5

Change above IPs by replacing yours.

Below command will add all servers from the list.

ssh-keyscan -H "`cat servers-list`" >> ~/.ssh/known_hosts

edited May 22 '21 at 12:44

answered Feb 16 '18 at 07:46

Waqas Khan

121

Srinath Sridharan · Answer 7 · 2021-09-16T11:43:50.010

Though it's too late to answer this, wanted to share my contribution.

I just made a quick bash script to ease my life.

Basically, whenever you ssh into a machine, it removes the old host key and adds the new key. Add that as an alias to ssh, then you no longer need to worry about ssh keys not matching. The script will rotate them on every login.

#!/bin/bash
{
    ip=$(cut -d  "@" -f2 <<< $1) && ssh-keygen -R $ip 2> /dev/null && ssh -o StrictHostKeyChecking=accept-new $1 2> /dev/null
} || { 
    ssh $1 
}
For Windows users (to add permanent alias to cmd):
Create a file called Alias.bat (preferrably in C:\Bin)
Enter this inside Alias.bat: doskey ssh=bash rotate_ssh_key.sh $1
Add the totate_ssh_keys.sh (This gist) in the same location as Alias.bat
Goto Registry editor
Goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
Add a String valid called Autorun and set the value to the absolute path of Alias.bat
Done.
Windows Alias taken from this post: https://superuser.com/a/238858
For Linux/ Mac Users:
add this to your .bashrc or .zshrc file:
alias ssh="bash /path/to/rotate_ssh_keys.sh"
Done

Example Usage
bash script.sh ubuntu@10.10.1.10

Code Explanation
The code takes the hostname@ip as argument and splits it into hostname and ip using the cut command with @ as delimiter.

Then it removes the ip address from the known_hosts file using the ssh-keygen command.

Then it runs the ssh command with one additional option -o StrictHostKeyChecking=accept-new. This allows it to automatically accept the new key.

I have also added a try-catch sequence to it, so that in case of errors, it falls back to the default behaviour of ssh command.

ssh: automatically accept keys

7 Answers7

For Windows users (to add permanent alias to cmd):

Create a file called Alias.bat (preferrably in C:\Bin)

Enter this inside Alias.bat: doskey ssh=bash rotate_ssh_key.sh $1

Add the totate_ssh_keys.sh (This gist) in the same location as Alias.bat

Goto Registry editor

Goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor

Add a String valid called Autorun and set the value to the absolute path of Alias.bat

Done.

Windows Alias taken from this post: https://superuser.com/a/238858

For Linux/ Mac Users:

add this to your .bashrc or .zshrc file:

alias ssh="bash /path/to/rotate_ssh_keys.sh"

Done

Linked