How to automatically accept the remote key when rsyncing?

Question

I'm attempting to make a system which automatically copies files from one server to many servers. As part of that I'm using rsync and installing SSH keys, which works correctly.

My problem is that when it attempts to connect to a new server for the first time it will ask for a confirmation. Is there a way to automatically accept?

Example command/output:

rsync -v -e ssh * root@someip:/data/
The authenticity of host 'someip (someip)' can't be established.
RSA key fingerprint is somerandomrsakey.
Are you sure you want to continue connecting (yes/no)? yes

score 70 · Answer 1 · answered Aug 08 '13 at 11:06

70

You can add this host's key to known_hosts beforehand like this:

ssh-keyscan $someip >> ~/.ssh/known_hosts

answered Aug 08 '13 at 11:06

Yorik.sar

5,269
2
20
20

6

this actually answers the OP's question, instead of working around it (and arguably circumventing the entire point of using host keys to identify systems using SSH) – mxmader Apr 30 '14 at 15:26
3

@mxmader - how does it differ? You're still automatically saying yes to "I trust this key" - aren't they equally bad? – Andy Baker May 10 '15 at 20:31
4

@andybak: It doesn't turn off host key verification, so you're safe from MITM or smth like that unless your network have already been compromised at the time of `ssh-keyscan`. – Yorik.sar May 13 '15 at 09:40
2

I agree with @AndyBaker - if you're doing this immediately before running the rsync command, it just moves the trust one line earlier. – Ken Williams Dec 27 '18 at 19:08
@AndyBaker not if used *only* in the case of the "first time" an SSH connection is established as specified by the OP (hence my use of the "file append" operator). For subsequent connections, I agree that the practicality of my answer is logically equivalent to ignoring host keys altogether. – mxmader Dec 28 '20 at 16:33

score 54 · Accepted Answer · edited Oct 09 '19 at 08:49

54

If they genuinely are new hosts, and you can't add the keys to known_hosts beforehand (see York.Sar's answer), then you can use this option:

-e "ssh -o StrictHostKeyChecking=no"

edited Oct 09 '19 at 08:49

Tombart

30,520
16
123
136

answered Aug 08 '13 at 10:26

Brian Agnew

268,207
37
334
440

9

more specifically: -o StrictHostKeyChecking=no or edit either /etc/ssh/ssh_config or ~/.ssh/config) – Elisiano Petrini Aug 08 '13 at 10:29
3

This approach lessens security. One should not use that unless there's no other way (e.g. IP and hostname of the target constantly changing). – Yorik.sar Apr 17 '14 at 15:38
2

We need to use this method (or removal and adding the key with `ssh-keygen -R` and `ssh-keyscan -H` as our hosts are on AWS and are destroyed each night, then rebuilt each morning - there seems to be no other way that I can find to stop the 'man in the middle' warning thrown by ssh! – Dave Rix Dec 30 '15 at 14:19
18

-o is not an rsync option. It's an ssh option. For rsync add it like this `-e "ssh -o StrictHostKeyChecking=no" `. – nmgeek Mar 28 '17 at 22:58

score 8 · Answer 3 · answered Jan 12 '17 at 15:31

I know that this was asked 3 years ago, but this was at the top of my google search and I was unable to get either of these solutions in the middle of a Vagrant script to work correctly for me. So I wanted to put here the method that I found somewhere else.

The solution there talks about updating the ~/.ssh/config or /etc/ssh/ssh_config file with the following blocks of code.

To disable host key checking for a particular host (e.g., remote_host.com):

Host remote_host.com
    StrictHostKeyChecking no

To turn off host key checking for all hosts you connect to:

Host *
    StrictHostKeyChecking no

To avoid host key verification, and not use known_hosts file for 192.168.1.* subnet:

Host 192.168.0.*
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

I hope this helps someone else who runs into this issue.

How to automatically accept the remote key when rsyncing?

3 Answers3