------------------
If your Linux shell scripts are getting tripped up by SSH fingerprints, Jack Wallen has an easy solution to avoid the problem.
Let’s say you’ve written a bash script that scans all of your Linux servers in your data center for uptime. Such a file could contain the following contents:
ssh $1 "uptime"
When you run your script, it may get foiled by an issue where it is stopped by a server that has yet to have its SSH key fingerprint added to the known_hosts file. When this happens, your script is rendered useless.
SSH key fingerprint
What is an SSH key fingerprint? Simple: It is the fingerprint of a key that is verified when you try to login to a remote computer using SSH. When you log into an SSH server for the first time, you’ll see something like that shown in Figure A.
Figure A
If you don’t accept the fingerprint, the connection will be immediately broken. So what happens when you’re working with a bash script that cannot accept input, in order to okay the addition of the remote SSH fingerprint?
Fortunately, the developers of SSH thought of this, and have added a command that allows you to easily add SSH fingerprints to the known_hosts file.
Adding the fingerprint
I’ll demonstrate adding the fingerprint from a remote serve to a local machine. Let’s say the remote server is at 192.168.1.162. To add that fingerprint, the command would be:
ssh-keyscan -H 192.168.1.162 >> ~/.ssh/known_hosts
The command will run and add the remote SSH fingerprint to the local machine, without your input (Figure B).
Figure B
So an addition to the bash script could look like:
ssh-keyscan $1 >> ~/.ssh/known_hosts
The above addition would take the argument from the command (say, for example, ./script 192.168.1.118) and add the fingerprint to ~/.ssh/known_hosts before it then moves to the next line–thereby avoiding the missing SSH fingerprint issue. Of course the above would only work properly if you have ssh key authentication setup. Otherwise, you’d have to enter the remote machine’s password.
The simple things
Sometimes it’s the simple things that trip up our bash scripts. If that key fingerprint issue has been causing you headaches with your scripts, you now have the means of avoiding the issue.