Paramiko SSH failing with "Server '...' not found in known_hosts" when run on web server

Question

I am trying to use Paramiko to make an SSH communication between 2 servers on a private network. The client server is a web server and the host server is going to be a "worker" server. The idea was to not open up the worker server to HTTP connections. The only communication that needs to happen, is the web server needs to pass strings to a script on the worker server. For this I was hoping to use Paramiko and pass the information to the script via SSH.

I set up a new user and created a test script in Python 3, which works when I run it from the command line from my own user's SSH session. I put the same code into my Django web app, thinking that it should work, since it tests OK from the command line, and I get the following error:

Server 'worker-server' not found in known_hosts

Now, I think I understand this error. When performing the test script, I was using a certain user to access the server, and the known hosts information is saved to ~/.ssh/known_hosts even though the user is actually a 3rd party user created just for this one job. So the Django app is running under a different user who doesn't find the saved known hosts info because it doesn't have access to that folder. As far as I can tell the user which Apache uses to execute the Django scripts doesn't have a home directory.

Is there a way I can add this known host in a way that the Django process can see it?

Script:

import paramiko

client = paramiko.SSHClient()
client.load_system_host_keys()
client.connect('worker-server', 22, 'workeruser', 'workerpass')

code = "123wfdv"
survey_id = 111
stdin, stdout, stderr =
    client.exec_command('python3 /path/to/test_script/test.py %s %s' % ( code, survey_id ))

print( "ssh successful. Closing connection" )

stdout = stdout.readlines()
client.close()
print ( "Connection closed" )

output = ""
for line in stdout:
    output = output + line
if output!="":
    print ( output )
else:
    print ( "There was no output for this command" )

Answer 1

You can hard-code the host key in your Python code, using HostKeys.add:

import paramiko
from base64 import decodebytes

keydata = b"""AAAAB3NzaC1yc2EAAAABIwAAAQEA0hV..."""
key = paramiko.RSAKey(data=decodebytes(keydata))
 
client = paramiko.SSHClient()
client.get_host_keys().add('example.com', 'ssh-rsa', key)
client.connect(...)

• This is based on my answer to:
  Paramiko "Unknown Server".

• To see how to obtain the fingerprint for use in the code, see my answer to:
  Verify host key with pysftp.

• If using pysftp, instead of Paramiko directly, see:
  PySFTP failing with "No hostkey for host X found" when deploying Django/Heroku

---

Or, as you are connecting within a private network, you can give up on verifying host key altogether, using AutoAddPolicy:

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(...)

(This can be done only if you really do not need the connection to be secure)

Answer 2

In addition to Martin Prikryl answer, maybe you're coding for a dynamic environment where you don't know this information, then you could validate de host by yourself and then add to know_hosts file. This answer is oriented to sys admins.

Direct add:

$ ssh-keyscan sample.host.com >> ~/.ssh/known_hosts
o
$ ssh-keyscan 192.168.1.20 >> ~/.ssh/known_hosts

Need user input:

$ ssh sample.host.com
o
$ ssh 192.168.1.20

Keep in mind that you must have the correct credentials to successfully connect.