SSH Scripting – How to Script a Check That the Key in Known_hosts File Is Correct

scriptingssh

I would like to implement a function in a script that checks if the key that corresponds to a given host in known_hosts file is correct. The obvious way to do this is to attempt an ssh connection and parse if it results in the known_hosts warning. This is suboptimal for these reasons:

If the host is not in the know_hosts file it needs to be checked separately
It relies on a particular wording of the warning that is subject to change
It runs an ssh command for you on the target server that you do not need to run and which could fail for different reasons such as what login shell is specified
Requires valid credentials

I tried to find an option in ssh-keyscan and ssh-keygen commands that might to that check, but did not find them.

What is the simplest way to do this check?

Best Answer

#!/usr/bin/env bash

HOST=$1

set -o pipefail

HOST_KEY_LINE=$(ssh-keygen -F "$HOST" | tail -n1)

if [ $? -ne 0 ]; then
  echo "$HOST is not in the known_hosts file"
  exit 1
fi

KEY_TYPE=$(echo "$HOST_KEY_LINE" | awk '{ print $2 }')
HOST_KEY=$(echo "$HOST_KEY_LINE" | awk '{ print $3 }')

ACTUAL_KEY=$(ssh-keyscan -t "$KEY_TYPE" "$HOST" 2>&1 | tail -n1 | awk '{ print $3 }')

if [ $? -ne 0 ]; then
  echo "Could not get key from $HOST: $ACTUAL_KEY"
  exit 1
fi

if [ "$HOST_KEY" = "$ACTUAL_KEY" ]; then
  echo "known_hosts has a correct key"
  exit 0
fi

echo "known_hosts has an incorrect key"

Related Solutions

SSH – How to Change Private Key Passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

SSH Key – How to Create a Public Key from a Private Key

Use the -y option to ssh-keygen:

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

From the 'man ssh-keygen'

 -y      This option will read a private OpenSSH format file and print an
         OpenSSH public key to stdout.

Specify the private key with the -f option, yours might be dsa instead of rsa. The name of your private key probably contains which you used. The newly generated public key should be the same as the one you generated before.

Best Answer

Related Solutions

SSH – How to Change Private Key Passphrase

SSH Key – How to Create a Public Key from a Private Key

Related Topic