When you try to connect to a system, SSH prompts you to accept the machines fingerprint to complete the connection. The purpose of this fingerprint is to help you verify the identity of the remote system. This protects you from a man in the middle attack. However, there can be times when it is necessary to automatically accept the SSH fingerprint.
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
-Wikipedia
On your first attempt to connect to a remote host via SSH, it will ask you to verify and accept it's SSH fingerprint.
[mcherisi@putor ~]$ ssh fenrir
The authenticity of host 'fenrir (10.0.0.5)' can't be established.
ECDSA key fingerprint is SHA256:a+UN/JGocFUhIt6/Jeytt6ftp7fr4vCVyX7WqsA6BhjU.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Once you connect to a remote system its fingerprint is saved to the known_hosts file. Every subsequent time you connect to that machine, SSH checks the fingerprint against the known_hosts file to verify it's identity.
When using SSH in an automated fashion, such as shell scripting, this can be a show stopper. However, there are several methods for automatically accepting the SSH fingerprint.
NOTE: Automatically accepting the SSH fingerprint effectively bypasses the security put in place by SSH. You should be careful using this, especially on untrusted networks, including the public internet.
Automatically Accepts SSH Fingerprint with Command Line Options
The first method is fairly simple and only requires adding an option to SSH on the command line. To automatically accept the SSH servers fingerprint and add it to the known hosts file we can pass the StrictHostKeyChecking no
option to SSH.
[mcherisi@putor ~]$ ssh -o "StrictHostKeyChecking no" fenrir
Warning: Permanently added 'fenrir,10.0.0.5' (ECDSA) to the list of known hosts.
ok
[mcherisi@Fenrir ~]$
As you can see, SSH displayed a warning telling you that it added your host to the known hosts file.
Adding the SSH Fingerpint to Known Hosts Using ssh-keyscan
The second method is using the ssh-keyscan tool to add the fingerprint to your known_hosts file before trying to connect. Here we call the ssh-keyscan command and pass the -H
option followed by the host name we want to fingerprint. We then redirect the output to the known_hosts file.
[mcherisi@putor ~]$ ssh-keyscan -H 10.0.0.5 >> ~/.ssh/known_hosts
# fenrir:22 SSH-2.0-OpenSSH_7.4
# fenrir:22 SSH-2.0-OpenSSH_7.4
# fenrir:22 SSH-2.0-OpenSSH_7.4
# fenrir:22 SSH-2.0-OpenSSH_7.4
# fenrir:22 SSH-2.0-OpenSSH_7.4
Now that the fingerprint has been added to the known_hosts file, we can connect via SSH without accepting it.
[mcherisi@putor ~]$ ssh 10.0.0.5
ok
[mcherisi@Fenrir ~]$
Conclusion
You should be aware that whichever method you use, you are effectively bypassing the security that SSH intended. Using this on an internal network mitigates the risk somewhat. However, as we said earlier, you should be careful using this on the public internet or other untrusted networks.