I have a bash script running on a host with IP1. The script does a ssh to a remote host with IP2
ssh ubuntu#IP2 "ls -l ~"
The ssh replies with a
The authenticity of host 'IP2 (IP2)' can't be established.
ECDSA key fingerprint is SHA256:S9ESYzoNs9dv/i/6T0aqXQoSXHM.
Are you sure you want to continue connecting (yes/no)?
I want to automate the response "yes" to the above ssh command. How can I do that from the bash script ?
IP2 is a random IP so I cannot add it to the known hosts list on host IP1.
If you don't want to verify/check the fingerprint you could use something like:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ubuntu#IP2 "ls -l ~"
This is how it works:
-o UserKnownHostsFile=/dev/null
The UserKnownHostsFile parameter specifies the database file to use for storing the user host keys (default is ~/.ssh/known_hosts).
By configuring the null device file as the host key database, SSH is fooled into thinking that the SSH client has never connected to any SSH server before, and so will never run into a mismatched host key.
-o StrictHostKeyChecking=no
The parameter StrictHostKeyChecking specifies if SSH will automatically add new host keys to the host key database file. By setting it to no, the host key is automatically added, without user confirmation, for all first-time connection.
For more details: How to disable SSH host key checking
Have you tested "StrictHostKeyChecking" option:
ssh -o "StrictHostKeyChecking no" root#10.x.x.x
Related
My use case is I have to access AWS ec2 instances through a jumpbox.
Here is my SSH config.
Host awsjumpbox
User sshuser
HostName jumpboxhostname
IdentityFile /Users/myusername/.ssh/id_rsa
LocalForward 8022 10.0.168.43:22
It works when I do SCP command to copy files to the EC2 instance.
myusername % scp -r -i ~/aws/aws-keypair.pem -P 8022 * ec2-user#localhost:testdir
The authenticity of host '[localhost]:8022 ([::1]:8022)' can't be established.
ECDSA key fingerprint is SHA256:rrwr62yjP2cgUTT9SowdlrIwGi4jMMwt5x4Aj6E4Y3Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:8022' (ECDSA) to the list of known hosts.
/etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
README.md 100% 1064 24.3KB/s 00:00
However, when I executed SSH command. It returns a strange IP address.
myusername % ssh -i ~/aws/aws-keypair.pem -P 8022 ec2-user#localhost
ssh: connect to host 0.0.31.86 port 22: No route to host
What is the cause of this issue? How do I fix it?
Thank you.
Don't use LocalForward and reverse the flow.
Use ProxyCommand or ProxyJump. This will allow SSH to open a session to your bastion server transparently.
E.g. your configuration should be something in the line of
Host 10.0.168.43
User root
ProxyCommand ssh -W %h:%p sshuser#awsjumpbox
...
or
Host 10.0.168.43
User root
ProxyJump sshuser#awsjumpbox
...
ssh address I want to alias is
ssh -o StrictHostKeyChecking=no username#hostipaddress#jumpServerAdress.com
I am populating in the MAC ~/.ssh/config as
Host prod
HostName hostipaddress
User usrname
ServerAliveInterval 100
ProxyJump jumpServerAdress.com
StrictHostKeyChecking no
GlobalKnownHostsFile /dev/null
UserKnownHostsFile /dev/null
When I do ssh prod..
it is not letting me inside the host
It signals me:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host
Is there any mistake in the config I am doing please let me know ?
I tried this config which worked
Host jump
HostName jumpServerAdress.com
User jumpuser
Host prod
HostName hostipaddress
User usrname
ServerAliveInterval 100
ProxyJump jump
StrictHostKeyChecking no
GlobalKnownHostsFile /dev/null
UserKnownHostsFile /dev/null
assuming you have setup ssh keys correctly.
I have a complex SSH tunnel problem I'm trying to solve and can't seem to get it quite right.
Simply put:
ME -> Bastion:22 -> Instance:8500
Bastion uses a different username and key than instance. I would like to be able to access port 1234 on instance from localhost:1234
Right now I have the following:
Host bastion
HostName bastion.example.com
ForwardAgent yes
IdentityFile ~/.ssh/id_ecdsa
User spanky
Host internal
ForwardAgent yes
HostName consul.internal
IdentityFile ~/.ssh/aws.pem
ProxyJump bastion
User ec2-user
Port 8500
But I don't think I've got it.
The following two commands work, but I'm trying to distill them into a working config:
ssh -L 2222:10.0.0.42:22 bastion.example.com -N -i ~/.ssh/id_ecdsa
ssh -L 8500:localhost:8500 ec2-user#localhost -N -i ~/.ssh/aws.pem -p 2222
With a current version of ssh, you should be able to use:
ssh -L1234:localhost:1234 -J spanky#bastion.example.com ec2-user#consul.internal
From man ssh:
-J destination
Connect to the target host by first making a ssh
connection to the jump host described by destination and then
establishing a TCP forwarding to the ultimate destination from there.
Multiple jump hops may be specified separated by comma characters.
This is a shortcut to specify a ProxyJump configuration directive.
I've setup ssh keys form server A to server B and I can login to server B without a password. I'm trying to setup a reverse ssh tunnel in a bash script. From the command line if I do
ssh -N -R 1234:localhost:22 user#mydomain.co.uk -p 22
form server A it works as expected i.e no password required, however if I use it in a script
#!/bin/bash
/usr/bin/ssh -N -R 1234:localhost:22 user#mydomain.co.uk -p 22
I get asked for the password
user#mydomain.co.uk's password:
How do I make it so it uses the keys?
You need to let ssh know where it should search for the keys, if they are not in standard location and not passphrase protected. The easiest thing is by specifying -i switch directly to ssh:
/usr/bin/ssh -i /path/to/key -N -R 1234:localhost:22 user#mydomain.co.uk -p 22
Or cleaner way in your ~/.ssh/config like this:
Host mydomain.co.uk
IdentityFile /path/to/key
But make sure the script is run with your user context, so the script will see the configuration file.
If you have keys in standard location (~/.ssh/id_rsa), your code should work just fine. Although it should work if you have your keys stored in ssh-agent, which you can verify using ssh-add -L before starting the script. ssh-agent also solve the problem, if he keys are passphrase protected.
Hi I have a list of few hundred hosts. I want to run a command using ssh in a loop, if my ssh keys are set properly, then I execute a command if I get challenge for password I want to skip to the next host
So lets say I have hosta and hostb and hostc. I can do a ssh to hosta & hostc , but hostb is challenging me for password. Is there a way to check if a hosts will challenge me for password or not? So my logic would be
if I get challenge from $host; then
skip host
else
ssh $host 'command'
fi
I hope this makes sense. Thanking you in advance
for host in host1 host2 host3; do
ssh -o PasswordAuthentication=no $host command
done
To make it parallel add &:
for host in host1 host2 host3; do
ssh -o PasswordAuthentication=no $host command &
done
If this is a thing you do regularly, I would suggest looking at dsh.
http://www.tecmint.com/using-dsh-distributed-shell-to-run-linux-commands-across-multiple-machines/
it allows you to make a list of your servers, and run commands against ALL of them, or just subsets(web, db, app, etc)
you can create global files, or create your own personal files.
ssh has an option, called BatchMode.
You can use it like
ssh -o BatchMode ...
and it won't ask you anything, but skip the connection attempt.
Or use rundeck - this can be found at http://rundeck.org