如何强制 ssh 从命令行接受新的主机指纹? [英] How can I force ssh to accept a new host fingerprint from the command line?

问题描述

我得到了标准

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is

错误信息.但是，执行命令(我认为 sftp，无关紧要)的系统(Appworx)是自动化的，我无法轻易接受新密钥，即使在与第三方供应商确认它是有效更改之后也是如此.我可以添加一个可以从同一系统(和用户)执行的新 shell 脚本，但似乎没有命令或命令行参数告诉 ssh 接受密钥.我在手册页或 Google 上找不到任何内容.这肯定有可能吗?

error message. However, the system (Appworx) that executes the command (sftp I think, not that it matters) is automated and I can't easily accept the new key, even after checking with the third party vendor that it is a valid change. I can add a new shell script that I can execute from the same system (and user), but there doesn't seem to be a command or command-line argument that will tell ssh to accept the key. I can't find anything in the man page or on Google. Surely this is possible?

推荐答案

以下是告诉您的客户信任密钥的方法.更好的方法是提前给它密钥，我在第二段中已经描述过.这是针对 Unix 上的 OpenSSH 客户端，所以我希望它与您的情况相关.

Here's how to tell your client to trust the key. A better approach is to give it the key in advance, which I've described in the second paragraph. This is for an OpenSSH client on Unix, so I hope it's relevant to your situation.

您可以设置StrictHostKeyChecking 参数.它有选项yes、no 和ask.默认为ask.要在系统范围内设置它，请编辑 /etc/ssh/ssh_config;为你设置它，编辑 ~/.ssh/config;并将其设置为单个命令，请在命令行上提供选项，例如

You can set the StrictHostKeyChecking parameter. It has options yes, no, and ask. The default is ask. To set it system wide, edit /etc/ssh/ssh_config; to set it just for you, edit ~/.ssh/config; and to set it for a single command, give the option on the command line, e.g.

ssh -o "StrictHostKeyChecking no" hostname

如果您有权访问远程系统的主机密钥，另一种方法是提前将它们添加到您的 known_hosts 文件中，以便 SSH 知道它们并且不会提出问题.如果这是可能的，从安全的角度来看会更好.毕竟，警告可能是正确的，您可能真的会受到中间人攻击.

An alternative approach if you have access to the host keys for the remote system is to add them to your known_hosts file in advance, so that SSH knows about them and won't ask the question. If this is possible, it's better from a security point of view. After all, the warning might be right and you really might be subject to a man-in-the-middle attack.

例如，这里有一个脚本，它将检索密钥并将其添加到您的 known_hosts 文件中:

For instance, here's a script that will retrieve the key and add it to your known_hosts file:

ssh -o 'StrictHostKeyChecking no' hostname cat /etc/ssh/ssh_host_dsa_key.pub >>~/.ssh/known_hosts

这篇关于如何强制 ssh 从命令行接受新的主机指纹?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！