How to bypass the SSH host key check
If you've ever connected to a new server via SSH, you were probably greeted with a message about how the authenticity of the host couldn't be established. The message and prompt looks something like this:
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
ECDSA key fingerprint is SHA256:nKYgfKJByTtMbnEAzAhuiQotMhL+t47Zm7bOwxN9j3g.
Are you sure you want to continue connecting (yes/no/[fingerprint])?More than likely you typed in yes, the host was added to your
~/.ssh/known_hosts file, and you were never bothered again.
That's my usual work flow as well, but I also connect to a TON of brand new
servers to do my VPS showdown posts. Up until recently, I would have to type in
yes for every server I was connecting to, and it made it quite cumbersome to
fully automate some of the benchmarks so they could run 100% unattended.
Finally fed up, I set out to figure out how the heck I could get around the
prompt. My first attempt, I tried to pipe in the yes command to SSH thinking
that would just get around the prompt.
No dice.
Next up, I read up the man page for ssh and found that were is a
configuration option that I could include, called StrictHostKeyChecking.
The thing was, I didn't necessarily want to make skipping that check my new
normal. I wanted to be able to pass in an argument to the command so that I
could skip the check in my other script, so setting things up in my
~/.ssh/config wasn't a good option.
After rooting around a bit more, I wasn't actually able to find an argument that married up with that particular option.
A bit more research revealed that there's actually a way to pass in any of the
configuration options you'd like to ssh by way of the -o argument. You can
pass it options in the same format that you'd use in your configuration file, so
the syntax is quite familiar.
Knowing the option I wanted to set, and the method in which to do so, I was able to bypass the pesky host key check with ease:
ssh -o "StrictHostKeyChecking=no" [email protected]When bypassing the strict host key check, the host will still end up in your
~/.ssh/know_hosts file. A more ideal scenario for me would be to skip adding
a host to that file, since it's throw away servers, but it's not a big enough
concern to put any additional time into it.
The -o argument also works wonders on ssh-copy-id:
ssh-copy-id -o "StrictHostKeyChecking=no" -i ~/.ssh/id_rsa [email protected]