ssh command line specify server host key fingerprint

Using ssh command line (OpenSSH), can I specify the server's host key fingerprint?

This is possible with winscp.com using (e.g.) -hostkey="ssh-rsa 2048 AA:BB:CC...etc

I have read the man page a couple times, I apologize if I've missed the obvious there.

I do not want to just auto accept a host key, and I don't want to require the user to update their known_hosts, but rather specify the host key in some form on the command line.


Solution 1:

There's no command-line option in OpenSSH to pass a host key fingerprint.

Though you can use a temporary file (with the same format as the known_hosts) and make the ssh use that using the -o UserKnownHostsFile:

ssh -o "UserKnownHostsFile my_temp_known_host" host.example.com

See the ssh (for the -o) and the ssh_config (for the UserKnownHostsFile) man pages.


You may also consider using the StrictHostKeyChecking yes.


As suggested on Auto accept rsa key fingerprint from command line, you could write a small script that would allow you to achieve that:

#!/bin/bash

TEMPFILE=$(mktemp)
echo "$1" > $TEMPFILE

ssh -o "UserKnownHostsFile $TEMPFILE" ${@:2}

rm $TEMPFILE

If you call the script ssh_known_host, you could use it, passing the key as the first argument:

ssh_known_host 'github.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==' [email protected]

Btw, do not try to use <() shell construct with UserKnownHostsFile, like this:

-o UserKnownHostsFile=<(echo "hostname ssh-rsa ...")

It won't work. Possibly because the fd created by <() can be read only once, while ssh reads the file repeatedly.