6

There are plenty of answers to questions similar to this one but I can't seem to find one with a clear answer. They all either grab the public key at least once, ignore the key altogether, or write directly to the known_hosts file (implies no hash)

I have the server's fingerprint and/or public key. I would like a shell command to add it to the client's known_hosts file. This has to use whatever is configured (hash/no-hash)

Also, the script will do a git pull from this server so I don't know if providing port information at this point is relevant or not. Please tell me if it is.

Thanks. And feel free to point me in the right direction if this has already been answered and I missed it somehow.

PS - Extra info: One of the reasons I ask about ports is because I've done the following to no success (I'm aware this is getting the key from the host which I would rather not do):

ssh-keygen -R my.awesome.host # hostname
ssh-keygen -R 1.2.3.4         # IP
ssh-keygen -R my.awesome.host,1.2.3.4
ssh-keyscan -H my.awesome.host,1.2.3.4 >> ~/.ssh/known_hosts
ssh-keyscan -H 1.2.3.4 >> ~/.ssh/known_hosts
ssh-keyscan -H my.awesome.host >> ~/.ssh/known_hosts

But when I git clone (via ssh) I'm met with a resounding:

The authenticity of host '[my.awesome.host]:7999 ([1.2.3.4]:7999)' can't be established.
RSA key fingerprint is fi:ger:pr:in:ti:nf:or:ma:ti:on
Are you sure you want to continue connecting (yes/no)?

Yet ssh user@my.awesome.host does not prompt me about the fingerprint.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
D.Mill
  • 379
  • 5
  • 15
  • 1
    You are using different port for `ssh` and for `git`. – Jakuje Aug 19 '16 at 09:26
  • Yes using a different port for git. git uses `7999` – D.Mill Aug 19 '16 at 12:40
  • Then don't wonder about the difference. Running `ssh -p 7999 user@my.awesome.host` should prompt you for the confirmation. `ssh-keyscan` accepts the `-p` switch too to do the "right thing". Writing directly to the known hosts file is still the best bet (you can make `ssh-keygen` to re-hash (`-H` switch) your known hosts if needed). – Jakuje Aug 19 '16 at 12:45
  • Ok great, If you can answer with this info and describe how to write to the known_hosts and re-hash that would be great (and I'll select it as the right answer) – D.Mill Aug 19 '16 at 13:12

1 Answers1

4

Having a public key, you can simply write the key into the known_hosts file and possibly re-hash, if you need to:

HOSTNAME=my.awesome.host
PORT=7999
PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAAD...E"
KNOWN_HOSTS="~/.ssh/known_hosts"
echo "[$HOSTNAME]:$PORT $PUBKEY" >> $KNOWN_HOSTS
# re-hash, if needed:
ssh -G -p $PORT $HOSTNAME | grep "hashknownhosts yes" && \
  ssh-keygen -H -f $KNOWN_HOSTS

The -G switch for ssh is fairly new. If it does not work, you will have to determine whether to hash the known hosts or not in different way (or do it regardless the conditions).

Hashing file with already hashed hosts does not touche these lines.

I didn't try the above script, but you should be able to get the point from that (and fix typos, if there are some).

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • Thanks, one last clarification. If `-G` is not available. How would one hash the known_hosts file? is it simply the same command without the `-G` flag? – D.Mill Aug 19 '16 at 17:03
  • Actually seems like it doesn't. Omitting `-G` still prompts me for the fingerprint. – D.Mill Aug 19 '16 at 17:05
  • 1
    answering my own question : `ssh-keygen -H` – D.Mill Aug 19 '16 at 17:08
  • `grep "HashKnownHosts yes" /etc/ssh/ssh_config` should check the default. – Jakuje Aug 19 '16 at 17:09
  • Thanks. This works. there is a case where the command will require user input so I might amend the answer, but selecting this as the correct answer. – D.Mill Aug 19 '16 at 18:29