2

How do I pass a known fingerprint (such as SHA256:BcOkb1S0zuj5A1CDxpOSuD2hnAArV1A3wKY7iOlks) to SSH, so that I don't need to manually answer the prompt?

I tried the following, which does not seem to work:

ssh some-user@my-domain.com <<EOF
SHA256:BcOkb1S0zuj5A1CDxpOSuD2hnAArV1A3wKY7iOlks
EOF
TomDogg
  • 3,803
  • 5
  • 33
  • 60
  • take a look here, I don't think there is any other way [https://stackoverflow.com/questions/21383806/how-can-i-force-ssh-to-accept-a-new-host-fingerprint-from-the-command-line](https://stackoverflow.com/questions/21383806/how-can-i-force-ssh-to-accept-a-new-host-fingerprint-from-the-command-line) – Tch Jan 25 '21 at 18:46
  • @Tch - Thanks. Unfortunately, all those solutions are prone to MITM attacks. – TomDogg Jan 25 '21 at 18:48
  • You could prepare the complete entry and then copy it to the `~/.ssh/known_hosts` file. The entry should look like `my-domain.com ssh-rsa AAEFB...` – jeb Jan 25 '21 at 20:41

1 Answers1

2

To add to the comment "You could prepare the complete entry and then copy it to the ~/.ssh/known_hosts file.", that preparation would be done using ssh-keyscan:

ssh-keyscan -H 192.168.1.162 
# or
ssh-keyscan my-domain.com

If you have a known fingerprint, you can also double-check it, if is still valid.

jeb
  • 78,592
  • 17
  • 171
  • 225
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thnaks for the link to [validate a fingerprint](https://serverfault.com/a/1002348/783), that was the missing piece for me – jeb Jan 26 '21 at 10:01
  • Yes, the additional validation of the fingerprint makes this answer complete (the use of ssh-keyscan alone being prone to MITM attacks). – TomDogg Jan 26 '21 at 15:31