How to bypass the SSH host key check

Josh Sherman
2 min read
Command-line Interface

If you’ve ever connected to a new server via SSH, you were probably greeted with a message about how the authenticity of the host couldn’t be established. The message and prompt looks something like this:

The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:nKYgfKJByTtMbnEAzAhuiQotMhL+t47Zm7bOwxN9j3g.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

More than likely you typed in yes, the host was added to your ~/.ssh/known_hosts file, and you were never bothered again.

That’s my usual work flow as well, but I also connect to a TON of brand new servers to do my VPS showdown posts. Up until recently, I would have to type in yes for every server I was connecting to, and it made it quite cumbersome to fully automate some of the benchmarks so they could run 100% unattended.

Finally fed up, I set out to figure out how the heck I could get around the prompt. My first attempt, I tried to pipe in the yes command to SSH thinking that would just get around the prompt.

No dice.

Next up, I read up the man page for ssh and found that were is a configuration option that I could include, called StrictHostKeyChecking.

The thing was, I didn’t necessarily want to make skipping that check my new normal. I wanted to be able to pass in an argument to the command so that I could skip the check in my other script, so setting things up in my ~/.ssh/config wasn’t a good option.

After rooting around a bit more, I wasn’t actually able to find an argument that married up with that particular option.

A bit more research revealed that there’s actually a way to pass in any of the configuration options you’d like to ssh by way of the -o argument. You can pass it options in the same format that you’d use in your configuration file, so the syntax is quite familiar.

Knowing the option I wanted to set, and the method in which to do so, I was able to bypass the pesky host key check with ease:

ssh -o "StrictHostKeyChecking=no" [email protected]

When bypassing the strict host key check, the host will still end up in your ~/.ssh/know_hosts file. A more ideal scenario for me would be to skip adding a host to that file, since it’s throw away servers, but it’s not a big enough concern to put any additional time into it.

The -o argument also works wonders on ssh-copy-id:

ssh-copy-id -o "StrictHostKeyChecking=no" -i ~/.ssh/id_rsa user[email protected]
Join the Conversation

Good stuff? Want more?

Weekly emails about technology, development, and sometimes sauerkraut.

100% Fresh, Grade A Content, Never Spam.

Related Articles