Ssh – How to save ssh-keyscan result with the port to .ssh/known_hosts

known-hostssshssh-keys

When I run

ssh-keyscan -p NNN -t rsa GITHOST

it produces sting like

GITHOST ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCZwBe6yneM2q2KEuQ3UV194hUcEcQ7b0xoYdKXKU6RrsxP2wup3uwC4q2SbPlW6XkjVtOIXY4c5aBaieMjNhIBFxGa2yUnTwZPFZiGMh/fwoZ2IsLsIE7XCj2q4eO1jmxvgWf7VAE7DVkGg5VTcRRoVOP5V15z9/saP5u4Tcwu1w==

And I add it to ~/.ssh/known_hosts file.

But the git still asks me about key verification. Could be it b/c there is no port information stored in the known_hosts file ?

How can I create proper known_hosts in a script?

Best Answer

This is usually not needed since current ssh-keyscan versions will add the port for you. Older versions did not do that. You could post-process the line with sed like this:

ssh-keyscan -p NNN -t rsa GITHOST | sed -E 's/^([^ \[]+) (.*)$/[\1]:NNN \2/'

The output of ssh-keyscan is piped into sed that will use a substitute regexp to transform the output of ssh-keyscan to include the port.

This will result in:

[GITHOST]:NNN ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCZw....

Update: I refined the regexp above to play nice with ssh-keyscan output in already correct format.

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Ssh – How to automate SSH login with password

Related Topic