ssh command line specify server host key fingerprint

ssh ssh-keys public-key hostkey

Using ssh command line (OpenSSH), can I specify the server's host key fingerprint?

This is possible with winscp.com using (e.g.) -hostkey="ssh-rsa 2048 AA:BB:CC...etc

I have read the man page a couple times, I apologize if I've missed the obvious there.

I do not want to just auto accept a host key, and I don't want to require the user to update their known_hosts, but rather specify the host key in some form on the command line.


Solution 1:

There's no command-line option in OpenSSH to pass a host key fingerprint.

Though you can use a temporary file (with the same format as the known_hosts) and make the ssh use that using the -o UserKnownHostsFile:

ssh -o "UserKnownHostsFile my_temp_known_host" host.example.com

See the ssh (for the -o) and the ssh_config (for the UserKnownHostsFile) man pages.

You may also consider using the StrictHostKeyChecking yes.

As suggested on Auto accept rsa key fingerprint from command line, you could write a small script that would allow you to achieve that:

#!/bin/bash

TEMPFILE=$(mktemp)
echo "$1" > $TEMPFILE

ssh -o "UserKnownHostsFile $TEMPFILE" ${@:2}

rm $TEMPFILE

If you call the script ssh_known_host, you could use it, passing the key as the first argument:

ssh_known_host 'github.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==' [email protected]

Btw, do not try to use <() shell construct with UserKnownHostsFile, like this:

-o UserKnownHostsFile=<(echo "hostname ssh-rsa ...")

It won't work. Possibly because the fd created by <() can be read only once, while ssh reads the file repeatedly.

Related

Mount an VHD on Mac OS X
A secure, standard iptables rule-set for a basic HTTP(s) webserver
Disable IPv6 on Loopback address (Localhost, Computer name, ...)
Difference between Apache CXF and Axis
What is the difference between Xamarin.Form's LayoutOptions, especially Fill and Expand?
Why is $$ returning the same id as the parent process?
What is a Shim?
How to publish an npm package with distribution files?
How do I import other TypeScript files?
Change old commit message using `git rebase`
What is the difference between "git init" and "git init --bare"?
How exactly do Django content types work?