Networking

How to easily add an SSH fingerprint to your known_hosts file in Linux

If your Linux shell scripts are getting tripped up by SSH fingerprints, Jack Wallen has an easy solution to avoid the problem.

linuxhero.jpg
Image: Jack Wallen

Let's say you've written a bash script that scans all of your Linux servers in your data center for uptime. Such a file could contain the following contents:

ssh $1 "uptime"

When you run your script, it may get foiled by an issue where it is stopped by a server that has yet to have its SSH key fingerprint added to the known_hosts file. When this happens, your script is rendered useless.

SSH key fingerprint

What is an SSH key fingerprint? Simple: It is the fingerprint of a key that is verified when you try to login to a remote computer using SSH. When you log into an SSH server for the first time, you'll see something like that shown in Figure A.

Figure A

Figure A

You have to accept the fingerprint before the SSH connection can be made.

If you don't accept the fingerprint, the connection will be immediately broken. So what happens when you're working with a bash script that cannot accept input, in order to okay the addition of the remote SSH fingerprint?

Fortunately, the developers of SSH thought of this, and have added a command that allows you to easily add SSH fingerprints to the known_hosts file.

Adding the fingerprint

I'll demonstrate adding the fingerprint from a remote serve to a local machine. Let's say the remote server is at 192.168.1.162. To add that fingerprint, the command would be:

ssh-keyscan -H 192.168.1.162 >> ~/.ssh/known_hosts

The command will run and add the remote SSH fingerprint to the local machine, without your input (Figure B).

Figure B

Figure B

A simple command to add the SSH fingerprints of remote machines.

So an addition to the bash script could look like:

ssh-keyscan $1 >> ~/.ssh/known_hosts

The above addition would take the argument from the command (say, for example, ./script 192.168.1.118) and add the fingerprint to ~/.ssh/known_hosts before it then moves to the next line—thereby avoiding the missing SSH fingerprint issue. Of course the above would only work properly if you have ssh key authentication setup. Otherwise, you'd have to enter the remote machine's password.

The simple things

Sometimes it's the simple things that trip up our bash scripts. If that key fingerprint issue has been causing you headaches with your scripts, you now have the means of avoiding the issue.

Also See

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox