Skip to Content

2 ways to Automatically Accept an SSH Host Key Fingerprint in Linux

When connecting to an SSH server, especially for the first time, users often encounter a security prompt. This prompt plays a crucial role in the SSH connection process, ensuring the security and authenticity of the server being connected to.

The authenticity of host ‘howtouselinux (10.254.175.51)’ can’t be established.
ECDSA key fingerprint is SHA256:PgyFiC7Su7BiFBO1Sn8493MMz8/PE+2fJMI/mFfBy9M.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Let’s break it down:

  • The message indicates that the SSH client cannot verify the identity of the server ‘howtouselinux’ with the IP ‘10.254.175.51’. This is common for first-time connections.
  • The ‘ECDSA key fingerprint’ is a unique identifier for the server’s public key, used for verifying the server’s identity.
  • The prompt asks the user to confirm the server’s identity. Typing ‘yes’ adds the server to the known_hosts file, ‘no’ aborts the connection, and entering the fingerprint directly can also confirm the identity.

This prompt is a key part of SSH’s security mechanism, ensuring that connections to servers are authentic and secure.

In this article, we will share two ways to automatically accept the host key when you run the ssh command.

Automatically Accept an SSH Host Key Fingerprint in Linux with ssh-keyscan command

To automatically accept an SSH host key in Linux, the ssh-keyscan command can be used to retrieve the server’s host key and add it to the known_hosts file.

This method is useful in scripting and automated deployments for establishing SSH connections without manual intervention. 

Step 1: Retrieve the Host Key

  • Run ssh-keyscan followed by the hostname or IP address of the SSH server to fetch the server’s public key.
    ssh-keyscan hostname_or_ip
  • You can specify the key type (e.g., rsa, ecdsa) with the -t option.

Step 2: Add the Key to known_hosts

  • Append the output of ssh-keyscan to your ~/.ssh/known_hosts file.
    ssh-keyscan hostname_or_ip >> ~/.ssh/known_hosts

Example

To automatically accept the RSA host key for example.com:

ssh-keyscan -t rsa example.com >> ~/.ssh/known_hosts

 

Automatically Accept SSH Host Key Fingerprint Using SSH Command Option

An alternative method to automatically accept an SSH host key involves using the StrictHostKeyChecking=no option with the SSH command.

SSH Command with Option

Use the -o option in the SSH command to override default settings:

ssh -o StrictHostKeyChecking=no  username@hostname

Example

To SSH into example.com without host key verification:

ssh -o StrictHostKeyChecking=no user@example.com

Important Considerations

  • Security Risks: Bypassing verification exposes you to potential security threats like man-in-the-middle attacks.
  • Limited Use Cases: Not recommended for repeated connections to the same host due to security concerns.
  • Use in Trusted Environments: Should be used only in secure, controlled network environments.

 

It’s important to verify the fingerprint, especially for first-time connections, to prevent man-in-the-middle attacks. Users should check the server’s fingerprint against a trusted source or contact their system administrator. Unexpected changes in a known host’s key should be treated with caution, as they could indicate a security breach.

While convenient, these methods should be used with a full understanding of its security implications and in appropriate scenarios.

 

 

Obtaining SSH Host Key Fingerprint in Linux - howtouselinux

Saturday 2nd of December 2023

[…] 2 ways to Automatically Accept an SSH Host Key in Linux […]