5

I administer a lot of hosts, and every time I ssh into a new batch for the first time, it is tedious to tell my secure shell client yes for each and every host that I accept the host key fingerprint for adding into ~/.ssh/known_hosts. If we accept as a given that I am confident that there are in fact no compromised host keys, is there any way to automate this? I do not want to disable key checking for subsequent connections.

For the sake of discussion, let's say that I have a list of all hosts in a text file, hostlist.txt.

DopeGhoti
  • 73,792
  • 8
  • 97
  • 133
  • Also https://unix.stackexchange.com/a/110561/117549 – Jeff Schaller Jan 29 '19 at 23:15
  • I had a backup saving a TAR file to a backup server and I couldn't tell why the command was failing. Turns out the SCP call was waiting for me to acknowledge the fingerprint. Eventually it timed out. This was a cron job, so I didn't see any output. – user208145 Jan 30 '19 at 00:55
  • 1
    If the hosts are Internet hosts... and your DNS provider allows for [sshfp](https://unix.stackexchange.com/questions/121880/how-do-i-generate-sshfp-records) records... you could simply put the host key fingerprints in DNS and then you don't need to worry about the host key checking, nor do you need to create an insecure TOFU situation.... – RubberStamp Jan 30 '19 at 01:01
  • 1
    Sorry.. "TOFU"? – DopeGhoti Jan 30 '19 at 15:48
  • Trust On First Use? – xenoid Jan 30 '19 at 16:04

2 Answers2

4

You can use the below option to not have to enter yes for each host with newer versions of ssh:

ssh -o 'StrictHostKeyChecking accept-new' host
DopeGhoti
  • 73,792
  • 8
  • 97
  • 133
Praveen Kumar BS
  • 5,139
  • 2
  • 9
  • 14
  • 3
    With new SSH, ``accept-new`` is better than `no` (TOFU, but you are still notified if the server *changes*) – Olorin Jan 30 '19 at 01:21
3

ssh-keyscan will check, but not verify, a remote host key fingerprint. Iterate through the host list and append to ~/.ssh/known_hosts:

while read host; do
    if entry=$(ssh-keyscan $host 2> /dev/null); then
        echo "$entry" >> ~/.ssh/known_hosts
    fi
done < hostlist.txt
DopeGhoti
  • 73,792
  • 8
  • 97
  • 133
  • 1
    You can just do `if entry=$(...); then`. – Olorin Jan 30 '19 at 01:20
  • 2
    keyscan default is `-t rsa` but nowadays EC keys are common, and iteration is not needed, just `ssh-keyscan -t rsa,ecdsa,ed25519 $(cat hostlist.txt) >>~/.ssh/known_hosts` (maybe also `,dsa` depending on your environment) or to avoid dupes `... $(grep -Fvf <(cut -f1 -d' ' ~/.ssh/known_hosts | tr ',' '\n') hostlist.txt) ...` – dave_thompson_085 Jan 30 '19 at 08:05