How to prefill SSH known_hosts with ssh-keyscan

Automation that opens SSH connections cannot stop at the first-connection authenticity prompt, but turning off host-key verification removes the warning that should stop a job from reaching an impersonated server. ssh-keyscan collects a server's public host key ahead of time so the account can trust a reviewed key before the first automated connection.

An OpenSSH known_hosts entry binds a host name or address to the public host key presented by sshd during connection setup. The scan itself does not prove the key is legitimate, because it reports whatever key the contacted endpoint presents over the network.

Use a temporary review file first, compare its SHA256 fingerprint with a trusted source, and only then install it into the known-hosts file used by the job. A dedicated UserKnownHostsFile keeps automation trust separate from an interactive account's normal /home/user/.ssh/known_hosts file, while StrictHostKeyChecking yes still blocks changed or missing host keys.

Related: How to verify SSH host key fingerprints before connecting
Related: How to configure SSH host key checking for automation
Related: How to fix the SSH remote host identification has changed warning
Tool: Secure Shell (SSH) Key Fingerprint Checker

Steps to prefill SSH known_hosts with ssh-keyscan:

  1. Create the SSH directory for the account that will run the connection. 
    $ install -d -m 700 ~/.ssh
  2. Scan the server's ED25519 host key into a temporary review file. 
    $ ssh-keyscan -q -t ed25519 host.example.net > ~/.ssh/known_hosts_deploy.new

    Use the same host name and port that the job will use. For a non-default port, add -p 2222 before the host name.

  3. Print the fingerprint from the scanned host key. 
    $ ssh-keygen -l -E sha256 -f ~/.ssh/known_hosts_deploy.new
256 SHA256:i11/XXQMOADu7YiD5TryXtWFJ2RC2A7b7rd7S92OJh0 host.example.net (ED25519)
  4. Compare the scanned fingerprint with a trusted reference for the server. 
    # ssh-keygen -l -E sha256 -f /etc/ssh/ssh_host_ed25519_key.pub
256 SHA256:i11/XXQMOADu7YiD5TryXtWFJ2RC2A7b7rd7S92OJh0 root@host (ED25519)

    Do not install the scanned key when the fingerprint differs, the host name is unexpected, or the reference came from the same untrusted network path.

  5. Install the reviewed key as the job's dedicated known-hosts file. 
    $ install -m 600 ~/.ssh/known_hosts_deploy.new ~/.ssh/known_hosts_deploy

    Use /home/user/.ssh/known_hosts instead when the normal interactive trust store should receive the entry.

  6. Confirm that OpenSSH can find the saved host entry. 
    $ ssh-keygen -F host.example.net -f ~/.ssh/known_hosts_deploy
# Host host.example.net found: line 1 
host.example.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEtTF0sIzREaw+KolocTiO1eTKcdX4/t7DDdRLAzmg/p
  7. Run a strict noninteractive SSH smoke test through the prefilled file. 
    $ ssh -o UserKnownHostsFile=~/.ssh/known_hosts_deploy -o StrictHostKeyChecking=yes -o BatchMode=yes user@host.example.net whoami
user

    The remote account must already have a working authentication method. BatchMode yes makes password or confirmation prompts fail instead of pausing automation.
    Related: How to connect with SSH using a private key

  8. Remove the temporary review file after the saved entry has been tested. 
    $ rm ~/.ssh/known_hosts_deploy.new