やりたいこと
ssh で初回ログイン時に「Are you sure you want to continue connecting (yes/no)?」と聞かれないようにしたい。
$ ssh oracle@192.168.45.102 The authenticity of host '192.168.45.102 (192.168.45.102)' can't be established. RSA key fingerprint is d6:89:e2:2a:2d:44:87:9a:76:10:25:07:c6:5e:00:32. Are you sure you want to continue connecting (yes/no)?
やりかた
- クライアント側の ~/.ssh/config に以下を追記する。
$ vi ~/.ssh/config host * StrictHostKeyChecking no
- ssh で初回ログインしてみる。
$ ssh oracle@192.168.45.102 Warning: Permanently added '192.168.45.102' (RSA) to the list of known hosts.
「Are you sure you want to continue connecting (yes/no)?」と聞かれなくなる。
補足
- ~/.ssh/known_hosts に自動的にホスト鍵が登録されている。
$ cat ~/.ssh/known_hosts 192.168.45.102 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnSMXVMsv6g7U0cxPaCsv1tNF+xuoe02GFbWtVYusgR5ob2wkJJ6j2d52zG/t6jZxRamdY6jPuwbNVYGgx5mfvl5nMu7TEouJET1mc31av3nN+Aj+pVD9meU9rTkLwiawhcul3EqpStSXRnLeT/yIJWvO3UlFRw06r5D9jxxcHfcF1LLYG1MA1xJ3L3mE10r+cHaf1l6KZYhzVejNDDrYQj7yI0TGSHCbesxolkiriIyIeXzvHKWGwNzMukCmXSbA463+DgKFoGDUH0xPix6awgUBuyNarMU+9hhuMLWho7pXabL4aqAGqVCkWXUxf0Y2fBiWdU6z1pv7SH5l9m4ftQ==
- ただし、この方法はホストの成りすましに対して無防備になるので、注意。
- 詳しくは man ssh_config で
$ man ssh_config ... StrictHostKeyChecking If this flag is set to ``yes'', ssh(1) will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to con- nect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, though it can be annoy- ing when the /etc/ssh_known_hosts file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to ``no'', ssh will automatically add new host keys to the user known hosts files. If this flag is set to ``ask'', new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be ``yes'', ``no'', or ``ask''. The default is ``ask''.