Ssh command line specify server host key fingerprint

hostkeypublic-keysshssh-keys

Using ssh command line (OpenSSH), can I specify the server's host key fingerprint?

This is possible with winscp.com using (e.g.) -hostkey="ssh-rsa 2048 AA:BB:CC...etc

I have read the man page a couple times, I apologize if I've missed the obvious there.

I do not want to just auto accept a host key, and I don't want to require the user to update their known_hosts, but rather specify the host key in some form on the command line.

Best Answer

There's no command-line option in OpenSSH to pass a host key fingerprint.

Though you can use a temporary file (with the same format as the known_hosts) and make the ssh use that using the -o UserKnownHostsFile:

ssh -o "UserKnownHostsFile my_temp_known_host" host.example.com

See the ssh (for the -o) and the ssh_config (for the UserKnownHostsFile) man pages.

You may also consider using the StrictHostKeyChecking yes.

As suggested on Auto accept rsa key fingerprint from command line, you could write a small script that would allow you to achieve that:

#!/bin/bash

TEMPFILE=$(mktemp)
echo "$1" > $TEMPFILE

ssh -o "UserKnownHostsFile $TEMPFILE" ${@:2}

rm $TEMPFILE

If you call the script ssh_known_host, you could use it, passing the key as the first argument:

ssh_known_host 'github.com ssh-dss AAAAB3NzaC1kc3MAAACBANGFW2P9xlGU3zWrymJgI/lKo//ZW2WfVtmbsUZJ5uyKArtlQOT2+WRhcg4979aFxgKdcsqAYW3/LS1T2km3jYW/vr4Uzn+dXWODVk5VlUiZ1HFOHf6s6ITcZvjvdbp6ZbpM+DuJT7Bw+h5Fx8Qt8I16oCZYmAPJRtu46o9C2zk1AAAAFQC4gdFGcSbp5Gr0Wd5Ay/jtcldMewAAAIATTgn4sY4Nem/FQE+XJlyUQptPWMem5fwOcWtSXiTKaaN0lkk2p2snz+EJvAGXGq9dTSWHyLJSM2W6ZdQDqWJ1k+cL8CARAqL+UMwF84CR0m3hj+wtVGD/J4G5kW2DBAf4/bqzP4469lT+dF2FRQ2L9JKXrCWcnhMtJUvua8dvnwAAAIB6C4nQfAA7x8oLta6tT+oCk2WQcydNsyugE8vLrHlogoWEicla6cWPk7oXSspbzUcfkjN3Qa6e74PhRkc7JdSdAlFzU3m7LMkXo1MHgkqNX8glxWNVqBSc0YRdbFdTkL0C6gtpklilhvuHQCdbgB3LBAikcRkDp+FCVkUgPC/7Rw==' git@github.com

Btw, do not try to use <() shell construct with UserKnownHostsFile, like this:

-o UserKnownHostsFile=<(echo "hostname ssh-rsa ...")

It won't work. Possibly because the fd created by <() can be read only once, while ssh reads the file repeatedly.

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Ssh – How to use openssh sftp command with a RSA/DSA key specified from the command line

One potential option is to use sftp -oIdentityFile=/path/to/private/keyfile. Need more info to say whether that will work for you. Seems to work under Mac/Linux.

Best Answer

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Ssh – How to use openssh sftp command with a RSA/DSA key specified from the command line

Related Topic