16

I am creating a bash script to provision a new server that I can deploy a web application to. One thing I always have to do is as GitHub as a known host using ssh git@github.com. How can I automate this process in a bash script, and do it in an idempotent way?

Andrew
  • 3,453
  • 9
  • 33
  • 36

3 Answers3

19

The simple way to go would be to do something like this.

ssh-keyscan remote_server >>~/.ssh/known_hosts

If this box is brand new you might also need to create the ~/.ssh directory before you run ssh-keyscan.

Keep in mind that ssh-keyscan can take an arbitrary number of hostnames. It will get all the keys it can.

SYN
  • 1,751
  • 9
  • 14
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • 1
    PS - For provisioning you should be using something like puppet instead of a bash script. For puppet this could be easily handled with the [sshkey](http://docs.puppetlabs.com/references/latest/type.html#sshkey) resource. Also see this question for a method to manage the known_hosts en-masse http://serverfault.com/a/416782/984 – Zoredache Dec 14 '13 at 00:40
  • 2
    That sure sounded good to me, but after spending a few hours apiece on puppet and competitors, I scurried back to bash scripts and sanity. If those tools are intuitive, I apparently have no intuition. YMMV. – Ron Burk Apr 08 '16 at 19:32
  • Use bash. I constantly run into issues across different versions of things like puppet or ansible. We always go back to bash... 3 companies running now like this and bash is always reliable for us. – akahunahi Sep 21 '16 at 23:05
4

Are you trying to automate accepting the new key? If so, you could use -oStrictHostKeyChecking=no.
Doing so is a very bad idea as you're now completely wide open to man-in-the-middle attacks.

A better option would be just to manage a known_hosts file and reuse that file when you provision new servers. Stick it on github and write a simple script to download that file before sshing into github.

The strict host key checking is a good thing.

  • Can you elaborate on the "manage known_hosts file"? I think that's what I want to do, but when I viewed the file, it's contents looked like some sort of hash/key and didn't look like something that was intended to be managed manually. – Andrew Dec 05 '13 at 02:03
  • 2
    Provision a new server, manually ssh into github like you would. Accept the host key when prompted. Log out. Copy ~/.ssh/known_hosts from that newly provisioned server somewhere else (github, web server, doesn't matter as long as you can get it). Next time you provision a server, copy that file back before sshing to github. You don't need to edit the file. –  Dec 05 '13 at 02:32
  • This is better than my answer (safer). A further improvement on yoonix's answer though is to parse 'ssh-keyscan github.com' and store the returned key into ~/.ssh/known_hosts that way it isn't static in a file somewhere for you to need to update. – Sirex Dec 05 '13 at 02:45
  • That would work too, but I wouldn't consider it better. You're potentially setting yourself up for a man-in-the-middle attack if you're grabbing a new host-key every time. –  Dec 05 '13 at 03:05
  • 1
    To clarify my last comment (too late to edit): Grabbing a new host-key each time you provision a host is functionally no different than setting StrictHostKeyChecking=no. With either of them you're blindly trusting whatever key gets sent each time you provision. If you think a MITM attack to be unlikely, read [these](http://www.renesys.com/2013/11/mitm-internet-hijacking/) [two](http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/) articles. Github would be a HUGE target. –  Dec 05 '13 at 03:16
1

I'm not sure i understand the question, but i think you want to ignore the known_host prompt or avoid it entirely, in which case:

ssh -o StrictHostKeyChecking=no

or other suggestions at: http://www.joedog.org/2012/07/ssh-disable-known_hosts-prompt/

Sirex
  • 5,499
  • 2
  • 33
  • 54
  • I want a non-interactive way of accepting the GitHub host key (since this will happen in a bash script). – Andrew Dec 05 '13 at 02:05
  • then this'll work - it won't accept the key though, it'll ignore it entirely. Yoonix's answer is better – Sirex Dec 05 '13 at 02:44