How can I automate adding entries to .ssh/known_hosts?

Question

I administer a lot of hosts, and every time I ssh into a new batch for the first time, it is tedious to tell my secure shell client yes for each and every host that I accept the host key fingerprint for adding into ~/.ssh/known_hosts. If we accept as a given that I am confident that there are in fact no compromised host keys, is there any way to automate this? I do not want to disable key checking for subsequent connections.

For the sake of discussion, let's say that I have a list of all hosts in a text file, hostlist.txt.

I had a backup saving a TAR file to a backup server and I couldn't tell why the command was failing. Turns out the SCP call was waiting for me to acknowledge the fingerprint. Eventually it timed out. This was a cron job, so I didn't see any output. — user208145, Jan 30 '19 at 00:55
If the hosts are Internet hosts... and your DNS provider allows for sshfp records... you could simply put the host key fingerprints in DNS and then you don't need to worry about the host key checking, nor do you need to create an insecure TOFU situation.... — RubberStamp, Jan 30 '19 at 01:01

score 4 · Answer 1 · edited Jan 31 '19 at 15:34

4

You can use the below option to not have to enter yes for each host with newer versions of ssh:

ssh -o 'StrictHostKeyChecking accept-new' host

edited Jan 31 '19 at 15:34

DopeGhoti

76,081

answered Jan 30 '19 at 00:32

Praveen Kumar BS

5,211

3

With new SSH, accept-new is better than no (TOFU, but you are still notified if the server changes) – Olorin Jan 30 '19 at 01:21
To be specific, accept-new is available beginning in 7.6 released 2017-10. – dave_thompson_085 Mar 13 '24 at 01:02

DopeGhoti · Accepted Answer · 2019-01-30T15:47:15.570

3

ssh-keyscan will check, but not verify, a remote host key fingerprint. Iterate through the host list and append to ~/.ssh/known_hosts:

while read host; do
    if entry=$(ssh-keyscan $host 2> /dev/null); then
        echo "$entry" >> ~/.ssh/known_hosts
    fi
done < hostlist.txt

edited Jan 30 '19 at 15:47

answered Jan 29 '19 at 22:25

DopeGhoti

76,081

1

You can just do if entry=$(...); then. – Olorin Jan 30 '19 at 01:20
2

keyscan default is -t rsa but nowadays EC keys are common, and iteration is not needed, just ssh-keyscan -t rsa,ecdsa,ed25519 $(cat hostlist.txt) >>~/.ssh/known_hosts (maybe also ,dsa depending on your environment) or to avoid dupes ... $(grep -Fvf <(cut -f1 -d' ' ~/.ssh/known_hosts | tr ',' '\n') hostlist.txt) ... – dave_thompson_085 Jan 30 '19 at 08:05
1

On rechecking, I was out-of-date. ssh-keyscan default added ecdsa in 6.1 (2012) and ed25519 in 6.7 (2014). But not dsa/dss; if you need that, which from 7.0 (2015) you probably don't, you do need to specify it. – dave_thompson_085 Mar 13 '24 at 01:08

How can I automate adding entries to .ssh/known_hosts?

2 Answers2