https://caloskao.org/categories/ssh/Recent content in SSH on 卡螺絲Hugo -- gohugo.iozh-HantThu, 07 May 2026 15:42:17 +0800https://caloskao.org/ssh-avoid-key-checking-when-connect-to-new-host/Fri, 21 Nov 2025 00:00:00 +0800https://caloskao.org/ssh-avoid-key-checking-when-connect-to-new-host/<img src="https://caloskao.org/images/logo/linux.jpg" alt="Featured image of post SSH - 連接新主機時跳過 Key Checking" /><h1 id="ssh---連接新主機時跳過-key-checking">SSH - 連接新主機時跳過 Key Checking </h1><p>使用 SSH 首次連接未知主機時都會詢問是否加入 known hosts:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">The authenticity of host &#39;172.16.1.251 (172.16.1.251)&#39; can&#39;t be established. </span></span><span class="line"><span class="cl">ECDSA key fingerprint is SHA256:QsGHt7QytEa6v3kp+c/31Yz0jhefppoUrgJZD1jUDOA. </span></span><span class="line"><span class="cl">Are you sure you want to continue connecting (yes/no/[fingerprint])? </span></span></code></pre></td></tr></table> </div> </div><p>過去作法: <code>StrictHostKeyChecking=no</code> (不安全)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ssh -o StrictHostKeyChecking=no root@172.16.1.251 </span></span></code></pre></td></tr></table> </div> </div><p>OpenSSH 7.6 為 <code>StrictHostKeyChecking</code> 加入新參數 <code>accept-new</code></p> <p>首次連接主機時，會自動將主機 host-key 加入 ~/.ssh/known_hosts</p> <p>如果 host-key 變更了，依然能到起到警示的作用</p> <blockquote> <ul> <li>ssh(1): expand the StrictHostKeyChecking option with two new<br> settings. The first &ldquo;accept-new&rdquo; will automatically accept<br> hitherto-unseen keys but will refuse connections for changed or<br> invalid hostkeys. This is a safer subset of the current behaviour<br> of StrictHostKeyChecking=no. The second setting &ldquo;off&rdquo;, is a synonym<br> for the current behaviour of StrictHostKeyChecking=no: accept new<br> host keys, and continue connection for hosts with incorrect<br> hostkeys. A future release will change the meaning of<br> StrictHostKeyChecking=no to the behaviour of &ldquo;accept-new&rdquo;. bz#2400</li> </ul> </blockquote> <p>將參數換成 <code>accept-new</code> 後，直接加入 host-key 並建立連線</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ssh -o StrictHostKeyChecking=accept-new root@172.16.1.251 </span></span><span class="line"><span class="cl">Warning: Permanently added &#39;172.16.1.251&#39; (ECDSA) to the list of known hosts. </span></span><span class="line"><span class="cl">root@172.16.1.251&#39;s password: </span></span></code></pre></td></tr></table> </div> </div><p>也可以在<code>/etc/ssh/ssh_config</code>直接加入設定</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">Include /etc/ssh/ssh_config.d/*.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host * </span></span><span class="line"><span class="cl"><span class="c1"># ForwardAgent no</span> </span></span><span class="line"><span class="cl"><span class="c1"># ForwardX11 no</span> </span></span><span class="line"><span class="cl"><span class="c1"># ForwardX11Trusted yes</span> </span></span><span class="line"><span class="cl"><span class="c1"># PasswordAuthentication yes</span> </span></span><span class="line"><span class="cl"><span class="c1"># HostbasedAuthentication no</span> </span></span><span class="line"><span class="cl"><span class="c1"># GSSAPIAuthentication no</span> </span></span><span class="line"><span class="cl"><span class="c1"># GSSAPIDelegateCredentials no</span> </span></span><span class="line"><span class="cl"><span class="c1"># GSSAPIKeyExchange no</span> </span></span><span class="line"><span class="cl"><span class="c1"># GSSAPITrustDNS no</span> </span></span><span class="line"><span class="cl"><span class="c1"># BatchMode no</span> </span></span><span class="line"><span class="cl"><span class="c1"># CheckHostIP yes</span> </span></span><span class="line"><span class="cl"><span class="c1"># AddressFamily any</span> </span></span><span class="line"><span class="cl"><span class="c1"># ConnectTimeout 0</span> </span></span><span class="line"><span class="cl"><span class="c1"># StrictHostKeyChecking ask</span> </span></span><span class="line"><span class="cl"> StrictHostKeyChecking accept-new <span class="c1"># 這邊</span> </span></span><span class="line"><span class="cl"><span class="c1"># IdentityFile ~/.ssh/id_rsa</span> </span></span><span class="line"><span class="cl"><span class="c1"># IdentityFile ~/.ssh/id_dsa</span> </span></span><span class="line"><span class="cl"><span class="c1"># IdentityFile ~/.ssh/id_ecdsa</span> </span></span><span class="line"><span class="cl"><span class="c1"># IdentityFile ~/.ssh/id_ed25519</span> </span></span><span class="line"><span class="cl"><span class="c1"># Port 22</span> </span></span><span class="line"><span class="cl"><span class="c1"># Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc</span> </span></span><span class="line"><span class="cl"><span class="c1"># MACs hmac-md5,hmac-sha1,umac-64@openssh.com</span> </span></span><span class="line"><span class="cl"><span class="c1"># EscapeChar ~</span> </span></span><span class="line"><span class="cl"><span class="c1"># Tunnel no</span> </span></span><span class="line"><span class="cl"><span class="c1"># TunnelDevice any:any</span> </span></span></code></pre></td></tr></table> </div> </div><p>但是還有比直接覆寫系統層級設定更好的選擇，那就是使用者個人設定： <code>~/.ssh/config</code></p> <p>將 <code>StrictHostKeyChecking accept-new</code> 加到 <code>Host *</code> block 內存檔後即生效</p> <p>這樣使用 <code>ssh</code> 指令就不用再打 <code>-o StrictHostKeyChecking=accept-new</code> 了</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">Host * </span></span><span class="line"><span class="cl"> IdentityFile ~/.ssh/id_rsa </span></span><span class="line"><span class="cl"> <span class="c1"># Send keep-alive packet in every 5 minutes (300 seconds).</span> </span></span><span class="line"><span class="cl"> ServerAliveInterval <span class="m">300</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Close SSH session when 2 keep-alive packets send failed.</span> </span></span><span class="line"><span class="cl"> ServerAliveCountMax <span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Auto add unknown host into ~/.ssh/known_hosts</span> </span></span><span class="line"><span class="cl"> StrictHostKeyChecking accept-new </span></span></code></pre></td></tr></table> </div> </div><hr> <blockquote> <p>Reference: <a class="link" href="https://unix.stackexchange.com/a/33273/331501" target="_blank" rel="noopener" >key authentication - how to avoid ssh asking permission? - Unix &amp; Linux Stack Exchange</a></p> </blockquote>