Disable ssh host key

When connecting for the first time, the new host key is not yet in the local ~/.ssh/known_hosts file. To get rid of the message You must somehow get the host key in that file before connecting. The "Tips" section at http://www.securityfocus.com/infocus/1806 might have something useful. HTH.

our scripts want to avoid this message.

Ideally, you should gather the host keys of all your SSH servers and store them to /etc/ssh/ssh_known_hosts on all hosts used as SSH clients. This way you will be both protected from man-in-the-middle attacks and offering maximum user convenience.

The OpenSSH suite includes a ssh-keyscan tool to create this file quickly (run "man ssh-keyscan" to see documentation).

If /etc/ssh/ssh_known_hosts does not exist or does not contain the public hostkey of the host you're connecting to, the SSH client will show you that message, then attempt to save the host key to $HOME/.ssh/known_hosts. If $HOME/.ssh is not writable by the user, this step is simply skipped and the message will be displayed again in the future.

(NOTE: $HOME/.ssh should normally be owned by the user that's using it, and have drwx------ permissions. The directory must be protected from write access of other users, or else SSH will not use any files found in it.)

If you really cannot have neither a centralised /etc/ssh/ssh_known_hosts file for all users nor a regular per-user $HOME/.ssh/known_hosts file, it is possible to set the StrictHostKeyChecking option to "no", although this is definitely not recommended because that configuration will allow an attacker to set up a proxy between you and the host you're connecting to without your noticing. Such a proxy would see all your SSH traffic unencrypted (it would decrypt everything it receives, then re-encrypt it for the real connection target).

This option can be specified in the command line as "ssh -o StrictHostKeyChecking=no", or it can be configured in $HOME/.ssh/config or /etc/ssh/ssh_config as:

StrictHostKeyChecking no

MK

It really doesn't matter - if ssh is not asking You for confirmation, it will not ask "the script" and vice versa.

Hi,

I haven't read the through the replies already given, so the answer most likely has been given already.

Anyway, the reliance on your ssh client's security measures is totally up to the user's discretion, and can mostly be (deliberately) undermined (provided the remote ssh server permits this).

E.g. here's what I often do when I have tunneled some port by local or remote port forwarding in advance.

$ ssh -o userknownhostsfile=/dev/null -o stricthostkeychecking=no -p 2222 localhost ...

If you want to supress any warning messages informing you that the host key has been added to user's known hosts file (which of course is /dev/null) simply add the -q option to the command.

If you feel this is too much typing then edit your ~/.ssh/config file and put in some stanza like this (indentations and case are irrelevant):

Host inconsiderate
HostName 1.2.3.4
User somebody
UserKnownHostsFile /dev/null
StrictHostkeyChecking no
LogLevel quiet


Then you can simply connect by

$ ssh inconsiderate

Hi,

if you want to use ssh from within a script, use this:

# ssh -o BatchMode yes

"The option BatchMode specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and dont want to supply the password. e.g. Scripts that use the scp command to make backups over the network. "

AFAIK in BatchMode that question won't appear, and the machine will be skipped.

Regards,
Viktor