ssh: The authenticity of host 'hostname' c

2019-01-20 22:25发布

When i ssh to a machine, sometime i get this error warning and it prompts to say "yes" or "no". This cause some trouble when running from scripts that automatically ssh to other machines.

Warning Message:

The authenticity of host '<host>' can't be established.
ECDSA key fingerprint is    SHA256:TER0dEslggzS/BROmiE/s70WqcYy6bk52fs+MLTIptM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pc' (ECDSA) to the list of known hosts.

Is there a way to automatically say "yes" or ignore this?

13条回答
做自己的国王
2楼-- · 2019-01-20 22:52

Run this in host server it's premonition issue

chmod -R 700 ~/.ssh
查看更多
Evening l夕情丶
3楼-- · 2019-01-20 22:53

The best way to go about this is to use 'BatchMode' in addition to 'StrictHostKeyChecking'. This way, your script will accept a new hostname and write it to the known_hosts file, but won't require yes/no intervention.

ssh -o BatchMode=yes -o StrictHostKeyChecking=no user@server.example.com "uptime"
查看更多
冷血范
4楼-- · 2019-01-20 22:55

This warning is issued due the security features, do not disable this feature.

It's just displayed once.

If it still appears after second connection, the problem is probably in writing to the known_hosts file. In this case you'll also get the following message:

Failed to add the host to the list of known hosts 

You may fix it by changing owner of changing the permissions of the file to be writable by your user.

sudo chown -v $USER ~/.ssh/known_hosts
查看更多
爱情/是我丢掉的垃圾
5楼-- · 2019-01-20 22:57

Edit your config file normally located at '~/.ssh/config', and at the beggining of the file, add the below lines

Host *
    User                   your_login_user
    StrictHostKeyChecking  no
    IdentityFile          ~/my_path/id_rsa.pub

User set to your_login_user says that this settings belongs to your_login_user
StrictHostKeyChecking set to no will avoid the prompt
IdentityFile is path to RSA key

This works for me and my scripts, good luck to you.

查看更多
相关推荐>>
6楼-- · 2019-01-20 22:59

Depending on your ssh client, you can set the StrictHostKeyChecking option to no on the command line, and/or send the key to a null known_hosts file. You can also set these options in your config file, either for all hosts or for a given set of IP addresses or host names.

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

EDIT

As @IanDunn notes, there are security risks to doing this. If the resource you're connecting to has been spoofed by an attacker, they could potentially replay the destination server's challenge back to you, fooling you into thinking that you're connecting to the remote resource while in fact they are connecting to that resource with your credentials. You should carefully consider whether that's an appropriate risk to take on before altering your connection mechanism to skip HostKeyChecking.

Reference.

查看更多
三岁会撩人
7楼-- · 2019-01-20 22:59

Old question that deserves a better answer.

You can prevent interactive prompt without disabling StrictHostKeyChecking (which is insecure).

Incorporate the following logic into your script:

if [ -z `ssh-keygen -F $IP` ]; then
  ssh-keyscan -H $IP >> ~/.ssh/known_hosts
fi

It checks if public key of the server is in known_hosts. If not, it requests public key from the server and adds it to known_hosts.

In this way you are exposed to Man-In-The-Middle attack only once, which may be mitigated by:

  • ensuring that the script connects first time over a secure channel
  • inspecting logs or known_hosts to check fingerprints manually (to be done only once)
查看更多
登录 后发表回答