I have a script that deals with some servers in an environment where new hosts are added once in a while. I'd like to avoid being asked whether new fingerprint should be accepted but be warned if any previously known fingerprint have been changed. Turning off StrictHostKeyChecking is not an option because it will leave me vulnerable to MITM attacks. What would be the most elegant way to silently accept new servers' fingerprints in this case?
Asked
Active
Viewed 63 times
1
-
1The most elegant way would be do [manage the SSH keys with a CA](https://serverfault.com/questions/242434/docs-for-openssh-ca-based-certificate-based-authentication). – Gerald Schneider Oct 16 '17 at 14:44
-
Thank you, anx. I have a list of hosts I'll be working with, so adding fingerprints that are not in known hosts solves my problem: new hosts are added, existing fingerprints are checked. – Artem Yartsev Oct 16 '17 at 15:59