Auto accept rsa key fingerprint from command line

Question

I've tried yes | ssh root@10.x.x.x to try to accept the RSA key fingerprint, but am still prompted if I'm sure I want to connect. Is there a way to make this automatic?

Answer 1

OpenSSH 7.6 has introduced new StrictHostKeyChecking=accept-new setting for exactly this purpose:

ssh(1): expand the StrictHostKeyChecking option with two new
   settings. The first "accept-new" will automatically accept
   hitherto-unseen keys but will refuse connections for changed or
   invalid hostkeys. This is a safer subset of the current behaviour
   of StrictHostKeyChecking=no. The second setting "n", is a synonym
   for the current behaviour of StrictHostKeyChecking=no: accept new
   host keys, and continue connection for hosts with incorrect
   hostkeys. A future release will change the meaning of
   StrictHostKeyChecking=no to the behaviour of "accept-new".

(OpenSSH 7.6 Release notes)

Answer 2

Using SSH Programmatically with known hosts key

If what you want is to be able to use programmatically AND avoid Man-In-The-Middle attack, then I suggest you get the known fingerprint using the command ssh-keyscan. Example:

$ ssh-keyscan -t rsa,dsa github.com 2>/dev/null
github.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

Then you can forge a script to save it to a temporary file and use the UserKnownHostsFile option. The example below is a script, which can be called ssh_github:

#!/bin/bash

HOSTKEY='github.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+                      h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+                                                                                                                                      PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+    2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='

TEMPFILE=$(mktemp)
echo "$HOSTKEY" > $TEMPFILE

ssh -o "UserKnownHostsFile $TEMPFILE" $@

rm $TEMPFILE

With this, you can just run ssh_github instead of ssh and it will connect even if there is no known_hosts file where you put the script.

Answer 3

Add these to your bash startup file, or similar:

 #
 #  ssh + scp without storing or prompting for keys.
 #
 function sshtmp
 {
     ssh -o "ConnectTimeout 3" \
         -o "StrictHostKeyChecking no" \
         -o "UserKnownHostsFile /dev/null" \
              "$@"
 }
 function scptmp
 {
     exec scp -o "ConnectTimeout 3" \
         -o "StrictHostKeyChecking no" \
         -o "UserKnownHostsFile /dev/null" \
         "$@"
 }

Then use sshtmp, or scptmp in place of ssh and scp.

NOTE If you do go down this road you'll not be alerted that a host-key has changed and will lose security.

Answer 4

I just use:

ssh -o StrictHostKeyChecking=no user@host

It can also be used with pssh:

pssh -O StrictHostKeyChecking=no -h list.text -l user -A -i "cmd"

Answer 5

My 5 cents, because no one mentioned it:

First my use case - several servers upload to single "upload" server given as hostname "upload.domain.com". Upload is made with rsync+ssh. I wanted to be able to change "upload.domain.com" and everything to continue to work.

I did config file in .ssh directory:

cat > .ssh/config <<[end]
StrictHostKeyChecking no
[end]

aka

echo "StrictHostKeyChecking no" >> ~/.ssh/config

You do not need to remove .ssh/known_hosts file, it prints message, but works anyway.

---

Update

I don't mean this to be crontab or something automatic.

I mean you have to create a file .ssh/config and put this line into it. Easiest way is via the command I show. You can use any other method thats easy for you, like text editors - vi, pico etc.

Answer 6

Use the StrictHostKeyChecking option, for example:

ssh -oStrictHostKeyChecking=accept-new $host 

This option can also be added to ~/.ssh/config:

Host *
    StrictHostKeyChecking accept-new

The benefit to the accept-newoption is that it will remember the host the first time you connect to it - and if it ever changes you will be warned.

This is not a blanket override. If host keys change you will still get a warning. If you absolutely do not care about getting MITM'ed you can use this instead:

ssh -oUserKnownHostsFile=/dev/null $h

This is a terrible idea for obvious reasons - anyone can create a script that can just harvest your password and use it to take over the real host.

Answer 7

Use this command to add the host to ~/.ssh/known-hosts (and dont add duplicated ones) as guided here

e.g. adding gitlab.com

ssh-keygen -F gitlab.com || ssh-keyscan gitlab.com >> ~/.ssh/known_hosts

Answer 8

you must add trusted host to file: ~/.ssh/config

you can easily achieve it this way, just change the value of TRUSTED_HOST for your hostname

export TRUSTED_HOST="github.com" && {cat | >> ~/.ssh/config } <<EOF
Host $TRUSTED_HOST
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
   LogLevel ERROR
EOF

Answer 9

You can use this command but mind the security issue of auto-accepting SSH host keys:

timeout 1s ssh -o StrictHostKeyChecking=accept-new [user@]remote-host :

The option -o StrictHostKeyChecking=accept-new allows to auto-accept an SSH key of an unknown remote host. This is not secure. On the bright side, if the host is already known, the option has no effect.

The : (colon) command is executed on the remote host, it does nothing.

The timeout 1s prefix limits the execution time to 1 second. So, if the ssh command asks for a password, it will be terminated after a timeout. If this behavior is not desired, the prefix is to be omitted:

ssh -o StrictHostKeyChecking=accept-new [user@]remote-host :

Answer 10

In dropbear ssh you can use -y option: i.e. try

ssh -y root@10.x.x.x

-y Always accept remote host key if unknown