我们一直在启动新服务器,然后通过 SSH 进入这些服务器。我们使用 DNSSEC 和 SSFHP 进行主机密钥身份验证。有时(无论出于何种原因)DNS 匹配会失败,这将导致显示此对话框:
The authenticity of host 'hostname.domain.com (1.2.3.4)' can't be established.
ECDSA key fingerprint is SHA256:obfuscated.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
我希望 SSH 静默地失败,返回代码就可以,或者至少不需要交互。
ssh
我查看了和的手册页ssh_config
。我没有看到任何会导致 SSH 非交互失败的内容。
安静模式(-q
)仅“导致大多数警告和诊断消息被抑制。” 它不会抑制交互式对话框。
我需要这个的主要目的是我们可以以编程方式访问远程服务器并跳过(或重试)那些身份验证失败的服务器。
答案1
使用StrictHostKeyChecking
手册页中的选项:
StrictHostKeyChecking
If this flag is set to ''yes'', ssh(1) will never automatically
add host keys to the ~/.ssh/known_hosts file, and refuses to
connect to hosts whose host key has changed. This provides
maximum protection against trojan horse attacks, though it can
be annoying when the /etc/ssh/ssh_known_hosts file is poorly
maintained or when connections to new hosts are frequently
made. This option forces the user to manually add all new
hosts. If this flag is set to ''no'', ssh will automatically add
new host keys to the user known hosts files. If this flag is set
to ''ask'', new host keys will be added to the user known host
files only after the user has confirmed that is what they really
want to do, and ssh will refuse to connect to hosts whose host
key has changed. The host keys of known hosts will be verified
automatically in all cases. The argument must be ''yes'',
''no'', or ''ask''. The default is ''ask''.
例如:
$ ssh -o StrictHostKeyChecking=yes remote.host
No RSA host key is known for remote.host and you have requested strict checking.
Host key verification failed.
$ echo $?
255
附录:我第一次没有仔细阅读问题,没有注意到您正在使用基于 DNS 的主机密钥检查。我实际上不知道这是否会对您的情况有所帮助,但我会留下答案,以防其他人发现它有用。