23

I want to Provide 'Yes' automatically or Ignore it and proceed in a SECURE way, when the below statement comes during execution of my Expect Shell script?.

#!/usr/bin/expect
spawn ssh $user@$host

The authenticity of host 'abcdef (10.566.1.98)' can't be established. RSA key fingerprint is jk:94:ba:93:0b:eb:ff:df:ea:gh:hj:23:3c:hj:9c:be. Are you sure you want to continue connecting (yes/no)?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
ShAn PrIyAn
  • 235
  • 1
  • 2
  • 4
  • 5
    "secure" and expect don't usually go hand-in-hand. There is no guaranteed way if you are automatically accepting the RSA fingerprint to know that it is legitimate. – mmmmmpie Feb 11 '15 at 19:47
  • Possible duplicate of [How can I force ssh to accept a new host fingerprint from the command line?](https://stackoverflow.com/questions/21383806/how-can-i-force-ssh-to-accept-a-new-host-fingerprint-from-the-command-line) – Martin Prikryl Jul 01 '19 at 13:09

3 Answers3

40

It's possible to avoid this question and accept all incoming keys automaticatilly by using ssh client option StrictHostKeyChecking set to no (default setting is ask, which results in that question):

ssh -o StrictHostKeyChecking=no "$user@$host"

However, note that it would be hardly any secure, as you're basically accepting connect with everyone who may act as a given host. The only secure way to avoid question is to pre-distribute host public keys to clients, i.e. in form of pre-generated known hosts file, which can be used in some way like that:

ssh \
    -o UserKnownHostsFile=PATH_TO_YOUR_KNOWN_HOSTS_FILE \
    -o StrictHostKeyChecking=yes "$user@$host"

This way you'll avoid the question if the check fails, and ssh will result in non-zero exit status.

GreyCat
  • 16,622
  • 18
  • 74
  • 112
  • 1
    +1. yup, another case where the accepted answer lags behind... You can set `StrictHostKeyChecking=no` in your **~/.ssh/config** on a per-host basis. – JL Peyret Dec 27 '17 at 01:26
  • @JLPeyret If you know your hosts beforehand and are willing to set up them individually, then you might just as well set up proper keys for them? – GreyCat Dec 27 '17 at 10:22
  • chef-based auto installs. i'd have to prepolute known_hosts. risk is low, it's a git fetch against a low privilege git user. everything's set up correctly, AFAIK, but it's not a known host, on the being-installed machine, yet when chef runs – JL Peyret Dec 27 '17 at 17:14
  • actually, while I liked your answer, I only looked at part #1, and didn't really realize what you meant with part #2. I'll check into it, looks even better. – JL Peyret Dec 27 '17 at 17:27
12

This works, and it's especially convenient for docker builds

ssh-keyscan hostname.example.com >> $HOME/.ssh/known_hosts
Ben Harper
  • 2,350
  • 1
  • 16
  • 15
5

Make use of exp_continue for this scenario.

#!/usr/bin/expect 
set prompt "#|>|\\\$"
spawn ssh dinesh@myhost
expect {
        #If 'expect' sees '(yes/no )', then it will send 'yes'
        #and continue the 'expect' loop
        "(yes/no)" { send "yes\r";exp_continue}
        #If 'password' seen first, then proceed as such.
        "password"
}
send "root\r"
expect -re $prompt

Reference : Expect

Dinesh
  • 16,014
  • 23
  • 80
  • 122
  • Thanks Dinesh!!..It worked perfectly!..But i dint Set the prompt and the final command expect -re $Prompt..It worked without those! – ShAn PrIyAn Feb 17 '15 at 13:18