Supressing ssh yes/no message

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a shell script that connects to a pool of servers which change
ip addresses often,so i encounter the typical msg:

The authenticity of host '' can't be established.
RSA key fingerprint is xxxxxx
Are you sure you want to continue connecting (yes/no)

Authentication is done using ssh keys,so all i need is to get passed
this dialog automaticaly.

I have checked the ssh man page,but there is no option to supress the
yes/no message,and therefore i have to type it in manualy every time
when i execute my shellscript.
As i am no unix guru i wonder is there any way i can supress the
message,or automaticaly provide "yes" input to ssh to avoid all this


Re: Supressing ssh yes/no message

mr. x wrote:

Quoted text here. Click to load it

It's among the "-o" optons to use settings from ssh_config. The option
in question is, I believe, '-o "StrictHostKeyChecking no"'. The default
setting is "StrictHostKeyChecking ask", which is what you're running into.

You can also change it in your personal $HOME/.ssh/config file, but I
don't recommend that. It's useful for normal connections.

Re: Supressing ssh yes/no message

The next problem the original poster will run into is that
the identity of the host changed.
That's in the FAQ.

Regards, Scott

Re: Supressing ssh yes/no message (mr. x) writes:

Quoted text here. Click to load it

man ssh:
    Additionally, the file /etc/ssh/ssh_known_hosts is automatically checked for
known hosts.  Any new
    hosts are automatically added to the user's file.  If a host's identification
ever changes, ssh
    warns about this and disables password authentication to prevent a trojan horse
from getting the
    user's password.  Another purpose of this mechanism is to prevent
man-in-the-middle attacks which
    could otherwise be used to circumvent the encryption.  The
StrictHostKeyChecking option can be used
    to prevent logins to machines whose host key is not known or has changed.

man ssh_config:
         If this flag is set to ``yes'', ssh will never automatically add host keys
to the
         $HOME/.ssh/known_hosts file, and refuses to connect to hosts whose host
key has changed.
         This provides maximum protection against trojan horse attacks, however,
can be annoying
         when the /etc/ssh/ssh_known_hosts file is poorly maintained, or
connections to new hosts
         are frequently made.  This option forces the user to manually add all new
hosts.  If this
         flag is set to ``no'', ssh will automatically add new host keys to the
user known hosts
         files.  If this flag is set to ``ask'', new host keys will be added to the
user known
         host files only after the user has confirmed that is what they really want
to do, and ssh
         will refuse to connect to hosts whose host key has changed.  The host keys
of known hosts
         will be verified automatically in all cases.  The argument must be
``yes'', ``no'' or
         ``ask''.  The default is ``ask''.

'course a key distribution mechanism would be the correct way to eliminate the
symptom and maintain all of the security you might expect from the use of ssh.


Re: Supressing ssh yes/no message

Quoted text here. Click to load it

$ man ssh_config
     If this flag is set to ``yes'', ssh will additionally check the
     host IP address in the known_hosts file.  This allows ssh to
     detect if a host key changed due to DNS spoofing.  If the option
     is set to ``no'', the check will not be executed.  The default is

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Supressing ssh yes/no message (Darren Tucker) writes:

Quoted text here. Click to load it

[I want to clarify both for the original poster and so that someone can
correct me if I'm misunderstanding this.]

Turning CheckHostIP off will only help if a name is being used to specify
the machine.  That name will need to be the same each time, thus the
resolver (DNS server, /etc/hosts, ...) will need to be able to track it.

This does seem like a more reasonable approach to take than just turning
off host key checking.


Site Timeline