I am scripting a remote rsync setup, and need to add a remote server to the local known_hosts file to avoid getting prompted wit the below when the script is first ran:
The authenticity of host '[hostname] ([IP address])' can't be established. RSA key fingerprint is [key fingerprint]. Are you sure you want to continue connecting (yes/no)?
As per Can I automatically add a new host to known_hosts? I have tried (with a fresh known_hosts file):
ssh-keyscan -H [hostname],[ip_address] >> ~/.ssh/known_hosts
ssh-keyscan -H [ip_address] >> ~/.ssh/known_hosts
ssh-keyscan -H [hostname] >> ~/.ssh/known_hosts
But this does not work, I am always prompted to accept the finger-print.
When I do let ssh add this for me, the key hash is very different in the know_hosts file.
What else should I do to troubleshoot this issue?
Try this:
Take the output and paste it in .ssh/known_hosts. Now if you want to hash known_hosts do this:
edit: Heres the one command solution. It uses hostname and IP addresses and hashes both.
The answer by kschurig will work but it is not necessarily the most secure. It does get bonus points for going the extra mile to let you identify the server by more than one URI-- i.e. hostname and IP address. That is to say you could keep adding valid URIs of that host by extending the comma delimited list.
However, I was searching for a mundane way to bypass the unkown host manual interaction of cloning a git repo as shown below and it should help in explaining what is happening and how you can avoid this one part of scripting some SSH related thing:
Note the RSA key fingerprint...
So, this is a SSH thing, this will work for git over SSH and just SSH related things in general...
First, install nmap on your daily driver. nmap is highly helpful for certain things, like detecting open ports and this-- manually verifying SSH fingerprints. But, back to what we are doing.
Good. I'm either compromised at the multiple places and machines I've checked it-- or the more plausible explanation of everything being hunky dory is what is happening.
That 'fingerprint' is just a string shortened with a one way algorithm for our human convenience at the risk of more than one string resolving into the same fingerprint. It happens, they are called collisions.
Regardless, back to the original string which we can see in context below.
So, ahead of time, we have a way of asking for a form of identification from the original host.
At this point we manually are as vulnerable as automatically-- the strings match, we have the base data that creates the fingerprint, and we could ask for that base data (preventing collisions) in the future.
Now to use that string in a way that prevents asking about a hosts authenticity...
The known_hosts file in this case does not use plaintext entries. You'll know hashed entries when you see them, they look like hashes with random characters instead of xyz.com or 123.45.67.89.
The first comment line infuriatingly shows up-- but you can get rid of it with a simple redirect via the ">" or ">>" convention.
As I've done my best to obtain untainted data to be used to identify a "host" and trust, I will add this identification to my known_hosts file in my ~/.ssh directory. Since it will now be identified as a known host, I will not get the prompt mentioned above when you were a youngster.
Thanks for sticking with me, here you go. I'm adding the bitbucket RSA key so that I can interact with my git repositories there in a non-interactive way as part of a CI workflow, but whatever you do what you want.
So, that's how you stay a virgin for today. You can do the same with github by following similar directions on your own time.
I saw so many stack overflow posts telling you to programmatically add the key blindly without any kind of checking. The more you check the key from different machines on different networks, the more trust you can have that the host is the one it says it is-- and that is the best you can hope from this layer of security.
WRONG
ssh -oStrictHostKeyChecking=no hostname [command]WRONG
ssh-keyscan -t rsa -H hostname >> ~/.ssh/known_hostsDon't do either of the above things, please. You're given the opportunity to increase your chances of avoiding someone eavesdropping on your data transfers via a man in the middle attack-- take that opportunity. The difference is literally verifying that the RSA key you have is the one of the bona fide server and now you know how to get that information to compare them so you can trust the connection. Just remember more comparisons from different computers & networks will usually increase your ability to trust the connection.