ssh: The authenticity of host 'hostname' can't be established

Question

When i ssh to a machine, sometime i get this error warning and it prompts to say \"yes\" or \"no\". This cause some trouble when running from scripts that automatically ssh

Answer 1

Ideally, you should create a self-managed certificate authority. Start with generating a key pair: ssh-keygen -f cert_signer

Then sign each server's public host key: ssh-keygen -s cert_signer -I cert_signer -h -n www.example.com -V +52w /etc/ssh/ssh_host_rsa_key.pub

This generates a signed public host key: /etc/ssh/ssh_host_rsa_key-cert.pub

In /etc/ssh/sshd_config, point the HostCertificate to this file: HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Restart the sshd service: service sshd restart

Then on the SSH client, add the following to ~/.ssh/known_hosts: @cert-authority *.example.com ssh-rsa AAAAB3Nz...cYwy+1Y2u/

The above contains:

• @cert-authority
• The domain *.example.com
• The full contents of the public key cert_signer.pub

The cert_signer public key will trust any server whose public host key is signed by the cert_signer private key.

Although this requires a one-time configuration on the client side, you can trust multiple servers, including those that haven't been provisioned yet (as long as you sign each server, that is).

For more details, see this wiki page.