如何强制 ssh 从命令行接受新的主机指纹? [英] How can I force ssh to accept a new host fingerprint from the command line?
问题描述
我得到了标准
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
错误信息.但是,执行命令(我认为 sftp,无关紧要)的系统(Appworx)是自动化的,我无法轻易接受新密钥,即使在与第三方供应商确认它是有效更改之后也是如此.我可以添加一个可以从同一系统(和用户)执行的新 shell 脚本,但似乎没有命令或命令行参数告诉 ssh 接受密钥.我在手册页或 Google 上找不到任何内容.这肯定有可能吗?
error message. However, the system (Appworx) that executes the command (sftp I think, not that it matters) is automated and I can't easily accept the new key, even after checking with the third party vendor that it is a valid change. I can add a new shell script that I can execute from the same system (and user), but there doesn't seem to be a command or command-line argument that will tell ssh to accept the key. I can't find anything in the man page or on Google. Surely this is possible?
推荐答案
以下是告诉您的客户信任密钥的方法.更好的方法是提前给它密钥,我在第二段中已经描述过.这是针对 Unix 上的 OpenSSH 客户端,所以我希望它与您的情况相关.
Here's how to tell your client to trust the key. A better approach is to give it the key in advance, which I've described in the second paragraph. This is for an OpenSSH client on Unix, so I hope it's relevant to your situation.
您可以设置StrictHostKeyChecking
参数.它有选项yes
、no
和ask
.默认为ask
.要在系统范围内设置它,请编辑 /etc/ssh/ssh_config
;为你设置它,编辑 ~/.ssh/config
;并将其设置为单个命令,请在命令行上提供选项,例如
You can set the StrictHostKeyChecking
parameter. It has options yes
, no
, and ask
. The default is ask
. To set it system wide, edit /etc/ssh/ssh_config
; to set it just for you, edit ~/.ssh/config
; and to set it for a single command, give the option on the command line, e.g.
ssh -o "StrictHostKeyChecking no" hostname
如果您有权访问远程系统的主机密钥,另一种方法是提前将它们添加到您的 known_hosts
文件中,以便 SSH 知道它们并且不会提出问题.如果这是可能的,从安全的角度来看会更好.毕竟,警告可能是正确的,您可能真的会受到中间人攻击.
An alternative approach if you have access to the host keys for the remote system is to add them to your known_hosts
file in advance, so that SSH knows about them and won't ask the question. If this is possible, it's better from a security point of view. After all, the warning might be right and you really might be subject to a man-in-the-middle attack.
例如,这里有一个脚本,它将检索密钥并将其添加到您的 known_hosts 文件中:
For instance, here's a script that will retrieve the key and add it to your known_hosts file:
ssh -o 'StrictHostKeyChecking no' hostname cat /etc/ssh/ssh_host_dsa_key.pub >>~/.ssh/known_hosts
这篇关于如何强制 ssh 从命令行接受新的主机指纹?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!