ablog

不器用で落着きのない技術者のメモ

sshで初回ログイン時に「Are you sure you want to continue connecting (yes/no)? 」を抑止する方法

やりたいこと

ssh で初回ログイン時に「Are you sure you want to continue connecting (yes/no)?」と聞かれないようにしたい。

$ ssh oracle@192.168.45.102
The authenticity of host '192.168.45.102 (192.168.45.102)' can't be established.
RSA key fingerprint is d6:89:e2:2a:2d:44:87:9a:76:10:25:07:c6:5e:00:32.
Are you sure you want to continue connecting (yes/no)?

やりかた

  • クライアント側の ~/.ssh/config に以下を追記する。
$ vi ~/.ssh/config
host *
    StrictHostKeyChecking no
  • ssh で初回ログインしてみる。
$ ssh oracle@192.168.45.102
Warning: Permanently added '192.168.45.102' (RSA) to the list of known hosts.

「Are you sure you want to continue connecting (yes/no)?」と聞かれなくなる。

補足

  • ~/.ssh/known_hosts に自動的にホスト鍵が登録されている。
$ cat ~/.ssh/known_hosts
192.168.45.102 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnSMXVMsv6g7U0cxPaCsv1tNF+xuoe02GFbWtVYusgR5ob2wkJJ6j2d52zG/t6jZxRamdY6jPuwbNVYGgx5mfvl5nMu7TEouJET1mc31av3nN+Aj+pVD9meU9rTkLwiawhcul3EqpStSXRnLeT/yIJWvO3UlFRw06r5D9jxxcHfcF1LLYG1MA1xJ3L3mE10r+cHaf1l6KZYhzVejNDDrYQj7yI0TGSHCbesxolkiriIyIeXzvHKWGwNzMukCmXSbA463+DgKFoGDUH0xPix6awgUBuyNarMU+9hhuMLWho7pXabL4aqAGqVCkWXUxf0Y2fBiWdU6z1pv7SH5l9m4ftQ==
  • ただし、この方法はホストの成りすましに対して無防備になるので、注意。
  • 詳しくは man ssh_config で
$ man ssh_config
...
     StrictHostKeyChecking
             If this flag is set to ``yes'', ssh(1) will never automatically
             add host keys to the ~/.ssh/known_hosts file, and refuses to con-
             nect to hosts whose host key has changed.  This provides maximum
             protection against trojan horse attacks, though it can be annoy-
             ing when the /etc/ssh_known_hosts file is poorly maintained or
             when connections to new hosts are frequently made.  This option
             forces the user to manually add all new hosts.  If this flag is
             set to ``no'', ssh will automatically add new host keys to the
             user known hosts files.  If this flag is set to ``ask'', new host
             keys will be added to the user known host files only after the
             user has confirmed that is what they really want to do, and ssh
             will refuse to connect to hosts whose host key has changed.  The
             host keys of known hosts will be verified automatically in all
             cases.  The argument must be ``yes'', ``no'', or ``ask''.  The
             default is ``ask''.