We are attempting to speed up the installation of oracle nodes for RAC installation.
this requires that we get ssh installed and configured so that it doesn’t prompt for a password.
The problem is:
On first usage, we are prompted for
RSA key fingerprint is 96:a9:23:5c:cc:d1:0a:d4:70:22:93:e9:9e:1e:74:2f. Are you sure you want to continue connecting (yes/no)? yes
Is there a way to avoid that or are we doomed to connect at least once on every server from every server manually?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Update December 2019:
As Chris Adams pointed out below, there has been a fairly significant change to Openssh in the 6.5 years since this answer was written, and there is a new option that is much safer than the original advice below:
* ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400
So instead of setting StrictHostKeyChecking no in your ssh_config file, set StrictHostKeyChecking accept-new.
Set StrictHostKeyChecking no in your /etc/ssh/ssh_config file, where it will be a global option used by every user on the server. Or set it in your ~/.ssh/config file, where it will be the default for only the current user. Or you can use it on the command line:
ssh -o StrictHostKeyChecking=no -l "$user" "$host"
Here’s an explanation of how this works from man ssh_config
(or see this more current version):
StrictHostKeyChecking
If this flag is set to “yes”, ssh will never automatically add
host keys to the$HOME/.ssh/known_hostsfile, and refuses to
connect to hosts whose host key has changed.
This provides maximum protection
against trojan horse attacks, however, can be
annoying when the/etc/ssh/ssh_known_hostsfile is
poorly maintained,
or connections to new hosts are frequently made. This
option forces the user to manually add all new hosts. If this
flag is set to “no”, ssh will automatically add new host keys to
the user known hosts files. If this flag is set to “ask”, new
host keys will be added to the user known host files only after
the user has confirmed that is what they really want to do, and
ssh will refuse to connect to hosts whose host key has changed.
The host keys of known hosts will be verified automatically in
all cases. The argument must be “yes”, “no” or “ask”. The
default is “ask”.
Method 2
ssh-keyscan – Gather ssh public keys
If you already know the list of hosts you will connect to, you can just issue:
ssh-keyscan host1 host2 host3 host4
You can give the -H option to have it hash the results like ssh defaults to now
Also you can give -t keytype were keytype is dsa, rsa, or ecdsa if you have a preference as to which type of key to grab instead of the default.
Once you have run ssh-keyscan it will have pre-populated your known-hosts file and you won’t have ssh asking you for permission to add a new key.
Method 3
Ignore Host
Ignore the HostKeyChecking. For this I use e.g.:
ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="037670667143667b626e736f662d6d6677">[email protected]</a>
Add Host
Add the host’s/server’s fingerprint to .ssh/known_hosts prior to your first connect. This is the safer way.
Method 4
You can add the fingerprint to each server’s known_hosts. For a single user:
cat ~/.ssh/known_hosts echo "$SERVER,$PORT ssh-rsa $SERVER_KEY_FINGERPRINT" >> ~/.ssh/known_hosts
Method 5
Execute the following snippet before trying.
mkdir -p ~/.ssh echo "Host *" > ~/.ssh/config echo " StrictHostKeyChecking no" >> ~/.ssh/config
ps: Strictly not for production servers, beware of ManInMiddle
Method 6
I like Tim’s answer for one off type things however, if this is a host you intend on connecting to on a regular basis I would create an entry in your ~/.ssh/config (create it if the file does not exist).
# this example shows wildcard for IP
# you can even use more than one wildcard 10.0.*.* for example
Host 192.168.56.*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
# you can even alias it, which is really useful when scp'ing/rsyncing foo:/path/to/remote
Host foo
HostName foo-long-192-10-135-55.hostname.not-going-to-remember.doh
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0