2

When you're using pscp to send files to a single machine is not a big deal because you will get the rsa fingerprint prompt once and never again after. But if you want to connect to 200 machines, you definitely don't want to type "yes" 200 times....

I'm using pscp on a Windows machine and I really don't care about the fingerprint, I only want to accept it. I'm using Amazon EC2 and the finger print change every time i restart the machines....

If there is a way to avoid it using pscp or a different tool please let me know!!!

Thanks!

MrCatacroquer
  • 2,038
  • 3
  • 16
  • 21
  • Possible duplicate http://stackoverflow.com/questions/13598996/putty-wont-cache-the-keys-to-access-a-server-when-run-script-in-hudson – Clay Dec 11 '13 at 16:05

4 Answers4

8

See Putty won't cache the keys to access a server when run script in hudson

On Windows you can use prefix echo y | in front of your command which will blindly accept any host key every time. However, a more secure solution is to run interactively the first time, or generate a .reg file that can be run on any client machine.

Community
  • 1
  • 1
Clay
  • 10,885
  • 5
  • 47
  • 44
5

I do not completely agree with the last answer. The first time you accept an SSH key, you know nothing about the remote host, so automatically accepting it makes no difference.

What I would do is auto accept the key the first time you connect to a host. I've read that doing something like yes yes | ssh user@host works, but it doesn't, because SSH does not read from stdin, but from a terminal.

What does work is to pass, that first time you connect, the following ssh option (it works for both scp and ssh:

scp -oStrictHostKeyChecking=no user@host1:file1 user@host2:file2

This command would add the key the first time you run it, but if, as Eric says, doing this once you have accepted the key is dangerous (man in the middle is uncool). If I were you I'd add it to a script that checked in ~/.ssh/known_hosts if there's already a line for that host, in which case I wouldn't add that option. On the other hand, if there was no line, I'd do so ;).

If you are dealing with an encrypted version of known_hosts, try with

ssh-keygen -F hostname

Here's something I'm actually using (function receiving the following arguments: user, host, source_file) 

deployToServer() {
    echo "Deployng to $1@$2 from $3"
    if [ -z "`cat ~/.ssh/known_hosts | grep $2`" ] && [ -z "`ssh-keygen -F $2`" ]
    then
        echo 'Auto accepting SSH key'
        scp -oStrictHostKeyChecking=no $3* $1@$2:.
    else
        scp $3* $1@$2:.
    fi
}

Hope this helped ;)

Alex Martín Jiménez
  • 367
  • 1
  • 4
  • 7
  • 1
    It doesnt work with pscp on Windows, which is a real shame! TBH I have verified the fingerprint and want to specify it on commandline, not necessarily ignore it, but say accept THIS one ... why can I not do this fundamental thing?? – Dan Jul 03 '13 at 17:13
  • Wrong: You do know about the remote host the first time you accept an SSH key, e.g., from the EC2 console output, and automatically accepting the key does make a big security difference. – David Braun Dec 11 '13 at 21:20
  • @Dan _It doesnt work with pscp on Windows, which is a real shame!_ The real shame is use Windows. – user454322 Oct 28 '14 at 13:31
  • Actually I added it into the code myself so I'm happy in the end – Dan Oct 29 '14 at 19:42
1

The host ssh key fingerprint should not change if you simply reboot or stop/start an instance. If it does, then the instance/AMI is not configured correctly or something else (malicious?) is going on.

Good EC2 AMIs are set up to create a random host ssh key on first boot. Most popular AMIs will output the fingerprint to the console output. For security, you should be requesting the instance console output through the EC2 API (command line tool or console) and comparing that to the fingerprint in the ssh prompt.

By saying you "don't care about the fingerprint" you are saying that you don't care about encrypting the traffic between yourself and the instance and it's ok for anybody in between you and the instance to see that communication. It may even be possible for a man-in-the-middle to take over the ssh session and gain access to control your instance.

With ssh on Linux you can turn off the ssh fingerprint check with a command line or config file option. I hesitate to publish how to do this as it is not recommended and seriously reduces the safety of your connections.

A better option is to have your instances set up their own host ssh key to a secret value that you know. You can save the public side of the host ssh key in your known hosts file. This way your traffic is encrypted and safe, and you don't have to continually answer the prompt about the fingerprints when connecting to your own machine.

Eric Hammond
  • 22,089
  • 5
  • 66
  • 75
0

I created a expect file with following commands in it:

spawn ssh -i ec2Key.pem ubuntu@ec2IpAddress expect "Are you sure you want to continue connecting (yes/no)?" { send "yes\n" } interact

I was able to ssh into the ec2 console without disabling the rsa fingerprint. My machine was added to the known hosts of this ec2.

I hope it helps.

subzero740
  • 13
  • 1
  • 4