如何强制ssh从命令行接受新的主机指纹? [英] How can I force ssh to accept a new host fingerprint from the command line?

问题描述

我正在获取标准

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is

错误消息.但是，执行命令(我认为是sftp，并不重要)的系统(Appworx)是自动化的，即使与第三方供应商确认这是有效的更改后，我也不能轻易接受新密钥.我可以添加一个可以在同一系统(和用户)上执行的新Shell脚本，但是似乎没有命令或命令行参数告诉ssh接受密钥.我在手册页或Google中找不到任何内容.当然可以吗?

error message. However, the system (Appworx) that executes the command (sftp I think, not that it matters) is automated and I can't easily accept the new key, even after checking with the third party vendor that it is a valid change. I can add a new shell script that I can execute from the same system (and user), but there doesn't seem to be a command or command-line argument that will tell ssh to accept the key. I can't find anything in the man page or on Google. Surely this is possible?

推荐答案

以下是告诉客户信任密钥的方法.更好的方法是提前给它提供密钥，这已在第二段中进行了描述.这是针对Unix上的OpenSSH客户端的，所以我希望它与您的情况有关.

Here's how to tell your client to trust the key. A better approach is to give it the key in advance, which I've described in the second paragraph. This is for an OpenSSH client on Unix, so I hope it's relevant to your situation.

您可以设置StrictHostKeyChecking参数.它具有选项yes，no和ask.默认值为ask.要将其设置为系统范围，请编辑/etc/ssh/ssh_config;要为您自己设置，请编辑~/.ssh/config；并将其设置为单个命令，请在命令行中提供该选项，例如

You can set the StrictHostKeyChecking parameter. It has options yes, no, and ask. The default is ask. To set it system wide, edit /etc/ssh/ssh_config; to set it just for you, edit ~/.ssh/config; and to set it for a single command, give the option on the command line, e.g.

ssh -o "StrictHostKeyChecking no" hostname

如果您有权访问远程系统的主机密钥，则另一种方法是预先将其添加到您的known_hosts文件中，以便SSH知道它们并且不会提出问题.如果可能的话，从安全角度来看最好.毕竟，警告可能是正确的，您实际上可能会受到中间人攻击.

An alternative approach if you have access to the host keys for the remote system is to add them to your known_hosts file in advance, so that SSH knows about them and won't ask the question. If this is possible, it's better from a security point of view. After all, the warning might be right and you really might be subject to a man-in-the-middle attack.

例如，这是一个脚本，它将检索密钥并将其添加到您的known_hosts文件中:

For instance, here's a script that will retrieve the key and add it to your known_hosts file:

ssh -o 'StrictHostKeyChecking no' hostname cat /etc/ssh/ssh_host_dsa_key.pub >>~/.ssh/known_hosts

这篇关于如何强制ssh从命令行接受新的主机指纹?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！