ssh: automatically accept keys

Use the StrictHostKeyChecking option, for example:

ssh -oStrictHostKeyChecking=no $h uptime

This option can also be added to ~/.ssh/config, e.g.:

Host somehost
    Hostname 10.0.0.1
    StrictHostKeyChecking no

Note that when the host keys have changed, you'll get a warning, even with this option:

$ ssh -oStrictHostKeyChecking=no somehost uptime
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
31:6f:2a:d5:76:c3:1e:74:f7:73:2f:96:16:12:e0:d8.
Please contact your system administrator.
Add correct host key in /home/peter/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/peter/.ssh/known_hosts:24
  remove with: ssh-keygen -f "/home/peter/.ssh/known_hosts" -R 10.0.0.1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
ash: uptime: not found

If your hosts are not often reinstalled, you could make this less secure (but more convenient for often-changing host keys) with the -oUserKnownHostsFile=/dev/null option. This discards all received host keys so it'll never generate the warning.

With Ubuntu 18.04, there's a new possibility :

StrictHostKeyChecking=accept-new since OpenSSH>=7.6.

From man ssh_config :

If this flag is set to “accept-new” then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys.  If this flag
is set to “no” or “off”, ssh will automatically add new host keys
to the user known hosts files and allow connections to hosts with
changed hostkeys to proceed, subject to some restrictions.

You can use the following command to add the fingerprint for a server to your known_hosts

ssh-keyscan -H <ip-address> >> ~/.ssh/known_hosts
ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts

NOTE: Replace < ip-address > and < hostname > with the IP and dns name of the server you want to add.

The only issue with this is that you will end up with some servers in your known_hosts twice. It's not really a big deal, just mentioning. To ensure there are no duplicates, you could remove all the servers first by running the following first:

ssh-keygen -R <ip-address>
ssh-keygen -R <hostname>

So you could run:

for h in $SERVER_LIST; do
    ip=$(dig +search +short $h)
    ssh-keygen -R $h
    ssh-keygen -R $ip
    ssh-keyscan -H $ip >> ~/.ssh/known_hosts
    ssh-keyscan -H $h >> ~/.ssh/known_hosts
done

One thing to keep in mind when removing just to re-add, you are essentially removing the security of verifying the fingerprint. So you would definitely not want to run this script before each execution of your utility script.

I'm a bit late with this response, but the sensible way would be to do a ssh-keyscan on the new machine before you run the uptime gathering.

ssh-keyscan  <newhost> >> ~/.ssh/known_hosts

Disabling the sanity check for convenience sake sounds like a bad plan, even if you think you're totally in control of the environment.

Add this entry into ~/.ssh/config file

Host *
    StrictHostKeyChecking no

If it complains about access permission for ~/.ssh/config, then try

$ chmod 644 ~/.ssh/config

In order to add a list of servers automatically we can do below:

Add servers IP in file servers-list

The IPs should be added in below format.

Output of cat servers-list

123.1.2.3
124.1.2.4
123.1.2.5

Change above IPs by replacing yours.

Below command will add all servers from the list.

ssh-keyscan -H "`cat servers-list`" >> ~/.ssh/known_hosts

I tried the approaches suggested in this thread. Best fit to my needs is summarized below: ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 -i <filepath to .pem RSA key> <user>@<ip>

Though it's too late to answer this, wanted to share my contribution.

I just made a quick bash script to ease my life.

Basically, whenever you ssh into a machine, it removes the old host key and adds the new key. Add that as an alias to ssh, then you no longer need to worry about ssh keys not matching. The script will rotate them on every login.

#!/bin/bash
{
    ip=$(cut -d  "@" -f2 <<< $1) && ssh-keygen -R $ip 2> /dev/null && ssh -o StrictHostKeyChecking=accept-new $1 2> /dev/null
} || { 
    ssh $1 
}

# For Windows users (to add permanent alias to cmd):
# Create a file called Alias.bat (preferrably in C:\Bin) 
# Enter this inside Alias.bat: doskey ssh=bash rotate_ssh_key.sh $1
# Add the totate_ssh_keys.sh (This gist) in the same location as Alias.bat
# Goto Registry editor
# Goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
# Add a String valid called Autorun and set the value to the absolute path of Alias.bat
# Done.
# Windows Alias taken from this post: https://superuser.com/a/238858


# For Linux/ Mac Users:
# add this to your .bashrc or .zshrc file:
# alias ssh="bash /path/to/rotate_ssh_keys.sh"
# Done

Example Usage
bash script.sh [email protected]

Code Explanation
The code takes the hostname@ip as argument and splits it into hostname and ip using the cut command with @ as delimiter.

Then it removes the ip address from the known_hosts file using the ssh-keygen command.

Then it runs the ssh command with one additional option -o StrictHostKeyChecking=accept-new. This allows it to automatically accept the new key.

I have also added a try-catch sequence to it, so that in case of errors, it falls back to the default behaviour of ssh command.