🔐 How to automatically accept SSH key fingerprint?

SSH Secure Shell is a network encryption protocol that provides secure encrypted communication between two hosts.

It allows you to securely connect to a remote computer over an unsecured network.

When you connect to a Linux system for the first time, SSH prompts you to accept the computer’s figprint in order to successfully establish the connection, since you don’t already have one in your known_hosts file.

A fingerprint is an abbreviated version of the system’s public key.

To protect itself from a Man-in-the-Middle (MITM) attack, the ssh program verifies the key of the remote system using a fingerprint saved since the last connection.

If it has changed, you will receive a notification and the system will ask if you want to continue.

Otherwise, you will be allowed to login directly.

But sometimes you may need to automatically accept the SSH fingerprint.

For example, if you created a bash script to run on multiple machines.

Please note, you are effectively bypassing the supposed security of SSH with the methods below. It is less dangerous when used on an internal network, but it is not recommended to use it on the public Internet or other unreliable networks.

This can be done in the following two ways.

  • Automatically accept ssh fingerprint using “StrictHostKeyChecking = no” parameter with ssh command
  • Automatically accept ssh fingerprint using ssk-keycan command

When you connect to a remote computer for the first time, you will be warned that the host cannot be authenticated and you will be provided with a key fingerprint for verification.

$ ssh [email protected]
The authenticity of host '192.168.1.4 (192.168.1.4)' can't be established.
ECDSA key fingerprint is 6a:75:e3:ac:5d:f8:cc:04:01:7b:ef:4d:42:ad:b9:83.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.4' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Mon Dec 14 14:16:51 2020 from 192.168.1.6

Once you accept the fingerprint, it will be saved in the known_hosts file. When reconnecting to the same remote host, SSH checks it in the known_host file to confirm its legality. If everything matches, you will be allowed direct access to the system as long as the key remains intact. You will see the following warning if the fingerprint does not match the known_hosts file. This happens if the host’s public key changes for some reason. If you see the warning shown below, double-check that you are actually connecting to the correct host over a secure connection. While this is harmless in most cases, it could indicate a potential problem as well.

$ ssh [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6a:75:e3:ac:5d:f8:cc:04:01:7b:ef:4d:42:ad:b9:83.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
********************************************************
Permission denied (publickey,password,keyboard-interactive).

1) How to automatically accept SSH key fingerprint using SSH option?

This method is simple and straightforward, you just need to add an option to the SSH command.

When you use this option, ssh will automatically add the new host key to the user’s known_host file and allow connections to be made to the remote system.

$ ssh -o "StrictHostKeyChecking no" 192.168.1.5
Warning: Permanently added 'centos7,192.168.1.5' (ECDSA) to the list of known hosts.
ok

However, the above warning indicates that the system has added a key to the known_host.

2) How to automatically accept the SSH key fingerprint using the ssk-keyscan command?

This is another method and it is also very simple.

The ssh-keycan tool allows you to add an ssh key fingerprint to the user-known_host file on a remote server.

This tool is very helpful.

This command must be inserted into the script before calling the actual commands.

Use the following format to add ssh key fingerprint to remote host.

$ ssh-keyscan -H 192.168.1.4 >> ~/.ssh/known_hosts
#centos:22 SSH-2.0-OpenSSH_7.4

Use the following format to add ssh key fingerprint to multiple hosts. To do this, you must add the remote host information to the file and invoke it with the ssh-keycan command as follows. For example, I added five hosts to the “remote-hosts.txt” file. You can use any text editor to add entries. I recommend that you use vim, the most flexible and powerful text editor widely used by Linux administrators and developers.

# vi remote-hosts.txt

192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6

If so, the ssh-keyscan command will look like this.

$ ssh-keyscan -f /tmp/remote-hosts.txt >> ~/.ssh/known_hosts
#centos:22 SSH-2.0-OpenSSH_7.4
#centos:22 SSH-2.0-OpenSSH_7.4
#centos:22 SSH-2.0-OpenSSH_7.4
#centos:22 SSH-2.0-OpenSSH_7.4
#centos:22 SSH-2.0-OpenSSH_7.4
Sidebar