ssh: automatically accept keys

ssh: automatically accept keys


The Question: I've written this small utility script:
for h in $SERVER_LIST; do ssh $h "uptime"; done
When a new server is added to $SERVER_LIST, the script is stopped with:
The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established.
RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?
I've tried yes:
for h in $SERVER_LIST; do yes | ssh $h "uptime"; done
with no luck.
Is there a way to parametrize ssh to automatically accept any new key?

Solutions Sample (Please watch the whole video to see all solutions, in order of how many people found them helpful):

== This solution helped 215 people ==
Use the StrictHostKeyChecking option, for example:
ssh -oStrictHostKeyChecking=no $h uptime
This option can also be added to ~/.ssh/config, e.g.:
Host somehost
Hostname 10.0.0.1
StrictHostKeyChecking no
Note that when the host keys have changed, you'll get a warning, even with this
option:
$ ssh -oStrictHostKeyChecking=no somehost uptime
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
31:6f:2a:d5:76:c3:1e:74:f7:73:2f:96:16:12:e0:d8.
Please contact your system administrator.
Add correct host key in /home/peter/.ssh/known_hosts to get rid of this
message.
Offending RSA key in /home/peter/.ssh/known_hosts:24
remove with: ssh-keygen -f "/home/peter/.ssh/known_hosts" -R 10.0.0.1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle
attacks.
ash: uptime: not found
If your hosts are not often reinstalled, you could make this less secure (but
more convenient for often-changing host keys) with the -oUserKnownHostsFile=/
dev/null option. This discards all received host keys so it'll never generate
the warning.
----
With 18.04, there's a new possibility: StrictHostKeyChecking=accept-new. From
man_5_ssh_config:
If this flag is set to "accept-new" then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys. If this flag
is set to "no" or "off", ssh will automatically add new host keys
to the user known hosts files and allow connections to hosts with
changed hostkeys to proceed, subject to some restrictions.

== This solution helped 105 people ==
You can use the following command to add the fingerprint for a server to your
known_hosts
ssh-keyscan -H ＜ip-address＞ ＞＞ ~/.ssh/known_hosts
ssh-keyscan -H ＜hostname＞ ＞＞ ~/.ssh/known_hosts
NOTE: Replace ＜ ip-address ＞ and ＜ hostname ＞ with the IP and dns name of the
server you want to add.
The only issue with this is that you will end up with some servers in your
known_hosts twice. It's not really a big deal, just mentioning. To ensure there
are no duplicates, you could remove all the servers first by running the
following first:
ssh-keygen -R ＜ip-address＞
ssh-keygen -R ＜hostname＞
So you could run:
for h in $SERVER_LIST; do
ip=$(dig +search +short $h)
ssh-keygen -R $h
ssh-keygen -R $ip
ssh-keyscan -H $ip ＞＞ ~/.ssh/known_hosts
ssh-keyscan -H $h ＞＞ ~/.ssh/known_hosts
done
One thing to keep in mind when removing just to re-add, you are essentially
removing the security of verifying the fingerprint. So you would definitely not
want to run this script before each execution of your utility script.
With thanks & praise to God! With thanks to the many people who have made this project possible! | Content (except music & images) licensed under cc by-sa 3.0 | Music: https://www.bensound.com/royalty-free-music | Images: https://stocksnap.io/license & others | With thanks to user tink (https://askubuntu.com/users/288200), user muru (https://askubuntu.com/users/158442), user mhost (https://askubuntu.com/users/33742), user Lekensteyn (https://askubuntu.com/users/6969), user Fabby (https://askubuntu.com/users/344926), user Adam Matan (https://askubuntu.com/users/622), and the Stack Exchange Network (http://stackoverflow.com/questions/123072). Trademarks are property of their respective owners. Disclaimer: All information is provided "AS IS" without warranty of any kind. You are responsible for your own actions. Please contact me if anything should be amiss at Roel D.OT VandePaar A.T gmail.com.