5

How to automatically add server to known_hosts ? (and not use md5 fingerprint, as I mean secure way, please not send "auto yes/accept" solutions. I want to bring required credentials from server to machine)

I'd like to update automatically my ssh known_hosts file to accept new server.

I assume, that I need to add server's public key (id_rsa.pub obtained through secure channel), but what I see is that format is different (I've tried adding like this awk '{print "server "$1" "$2}' id_rsa.pub > .ssh/known_hosts with verification failed. Please note that I don't want to use md5 fingerprint due to flaws in md5). If something else than id_rsa.pub would be useful I can run commands on server and obtain results though trusted channel. (Please note that it is not network channel (think of physically bringing pendrive from place to another), so ssh-keyscan does not solve the problem, what's more id_rsa.pub is key of dropbear server that is not running at server, so only files with keys are available, not server)

Improve this question

    1 Answer 1

    Reset to default
    8

    The name id_rsa.pub looks like a user's public key. This has nothing to do with known_hostsknown_hosts stores host keys. Host keys, as the name indicate, authenticate a host (i.e. a computer), whereas user keys authenticate a user. Host public keys of OpenSSH are typically located in /etc or /etc/ssh and called something like ssh_host_rsa_key.pub.

    Dropbear has a single file containing the private key. To extract the public key (in a format that is compatible between Dropbear and OpenSSH), run

    dropbearkey -f /etc/dropbear/dropbear_rsa_host_key -y | sed -n 2p >host_key.pub

    I don't think OpenSSH comes with a command to update the known_hosts file. It's easy enough to do manually:

    echo "$server_name,$server_ip_address $(cat server_ssh_host_rsa_key.pub)" >>~/.ssh/known_hosts

    If you want to hash host names (so that someone who reads your known_hosts file cannot know the names of these servers — it's a very minor privacy gain), run ssh-keygen -H afterwards.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.