我写了这个小实用程序脚本:
for h in $SERVER_LIST; do ssh $h "uptime"; done
当向 中添加新服务器时$SERVER_LIST,脚本将停止:
The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established.
RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?
我试过了yes:
for h in $SERVER_LIST; do yes | ssh $h "uptime"; done
没有运气。
有没有一种方法可以参数化ssh以自动接受任何新密钥?
答案1
使用 StrictHostKeyChecking 选项,例如:
ssh -oStrictHostKeyChecking=no $h uptime
该选项也可以添加到 ~/.ssh/config,例如:
Host somehost
Hostname 10.0.0.1
StrictHostKeyChecking no
请注意,当主机密钥发生更改时,即使使用此选项,您也会收到警告:
$ ssh -oStrictHostKeyChecking=no somehost uptime
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
31:6f:2a:d5:76:c3:1e:74:f7:73:2f:96:16:12:e0:d8.
Please contact your system administrator.
Add correct host key in /home/peter/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/peter/.ssh/known_hosts:24
remove with: ssh-keygen -f "/home/peter/.ssh/known_hosts" -R 10.0.0.1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
ash: uptime: not found
如果您的主机不经常重新安装,您可以使用该选项降低安全性(但对于经常更改主机密钥来说更方便)-oUserKnownHostsFile=/dev/null。这会丢弃所有收到的主机密钥,因此永远不会生成警告。
对于 Ubuntu 18.04,由于 [OpenSSH>=7.6] (https://www.openssh.com/txt/release-7.6),又有一个新的可能性:
StrictHostKeyChecking=accept-new
If this flag is set to “accept-new” then ssh will automatically
add new host keys to the user known hosts files, but will not
permit connections to hosts with changed host keys. If this flag
is set to “no” or “off”, ssh will automatically add new host keys
to the user known hosts files and allow connections to hosts with
changed hostkeys to proceed, subject to some restrictions.
答案2
您可以使用以下命令将服务器的指纹添加到您的known_hosts
ssh-keyscan -H <ip-address> >> ~/.ssh/known_hosts
ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts
笔记:将 < ip-address > 和 < hostname > 替换为您要添加的服务器的 IP 和 DNS 名称。
唯一的问题是,某些服务器最终会在 known_hosts 中出现两次。这其实没什么大不了的,只是提一下。为了确保没有重复,您可以先运行以下命令,先删除所有服务器:
ssh-keygen -R <ip-address>
ssh-keygen -R <hostname>
因此你可以运行:
for h in $SERVER_LIST; do
ip=$(dig +search +short $h)
ssh-keygen -R $h
ssh-keygen -R $ip
ssh-keyscan -H $ip >> ~/.ssh/known_hosts
ssh-keyscan -H $h >> ~/.ssh/known_hosts
done
删除后再重新添加时,需要记住的一点是,您实际上是在删除验证指纹的安全性。因此,您肯定不想在每次执行实用程序脚本之前运行此脚本。
答案3
我的回复有点晚了,但明智的做法是在运行正常运行时间收集之前在新机器上执行 ssh-keyscan。
ssh-keyscan <newhost> >> ~/.ssh/known_hosts
为了方便而禁用健全性检查听起来是个糟糕的计划,即使您认为自己完全控制了环境。
答案4
我尝试了此主题中建议的方法。最适合我需求的方法总结如下:
ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 -i <filepath to .pem RSA key> <user>@<ip>