We are attempting to speed up the installation of oracle nodes for RAC installation. this requires that we get ssh installed and configured so that it doesn't prompt for a password.
The problem is: On first usage, we are prompted for
RSA key fingerprint is 96:a9:23:5c:cc:d1:0a:d4:70:22:93:e9:9e:1e:74:2f. Are you sure you want to continue connecting (yes/no)? yes Is there a way to avoid that or are we doomed to connect at least once on every server from every server manually?
Update December 2019:
As Chris Adams pointed out below, there has been a fairly significant change to Openssh in the 6.5 years since this answer was written, and there is a new option that is much safer than the original advice below:
* ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 So instead of setting StrictHostKeyChecking no in your ssh_config file, set StrictHostKeyChecking accept-new.
Set StrictHostKeyChecking no in your /etc/ssh/ssh_config file, where it will be a global option used by every user on the server. Or set it in your ~/.ssh/config file, where it will be the default for only the current user. Or you can use it on the command line:
ssh -o StrictHostKeyChecking=no -l "$user" "$host" Here's an explanation of how this works from man ssh_config (or see this more current version):
StrictHostKeyChecking
If this flag is set to “yes”, ssh will never automatically add host keys to the
$HOME/.ssh/known_hostsfile, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying when the/etc/ssh/ssh_known_hostsfile is poorly maintained, or connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to “no”, ssh will automatically add new host keys to the user known hosts files. If this flag is set to “ask”, new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be “yes”, “no” or “ask”. The default is “ask”.
~/.ssh/ssh_config). Modern versions of OpenSSH support StrictHostKeyChecking accept-new which automatically accepts a key from a new host without disabling security checks for every host which you've already connected to. ssh-keyscan - Gather ssh public keys
If you already know the list of hosts you will connect to, you can just issue:
ssh-keyscan host1 host2 host3 host4 You can give the -H option to have it hash the results like ssh defaults to now
Also you can give -t keytype were keytype is dsa, rsa, or ecdsa if you have a preference as to which type of key to grab instead of the default.
Once you have run ssh-keyscan it will have pre-populated your known-hosts file and you won't have ssh asking you for permission to add a new key.
ssh-keyscan -H myhost >> ~/.ssh/known_hosts, or for server-wide, /etc/ssh/ssh_known_hosts Ignore the HostKeyChecking. For this I use e.g.:
ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null [email protected] Add the host's/server's fingerprint to .ssh/known_hosts prior to your first connect. This is the safer way.
/dev/null? Wouldn’t it be better to do ssh -oStrictHostKeyChecking=no [email protected] once to get the server’s fingerprint into the $HOME/.ssh/known_hosts file, so subsequent connections will proceed without a request for confirmation? known_hosts does not contain fingerprints, so adding the fingerprint won't work. You need to add the key blob, as with ssh-keyscan -- which has exactly the same security weakness as StrictHostKeyChecking=no You can add the fingerprint to each server's known_hosts. For a single user:
cat ~/.ssh/known_hosts echo "$SERVER,$PORT ssh-rsa $SERVER_KEY_FINGERPRINT" >> ~/.ssh/known_hosts 
known_hosts contains the key blob, not the fingerprint, and for non-default port and not hashed (@Deimos) the syntax is [server]:port not a comma Execute the following snippet before trying.
mkdir -p ~/.ssh echo "Host *" > ~/.ssh/config echo " StrictHostKeyChecking no" >> ~/.ssh/config ps: Strictly not for production servers, beware of ManInMiddle
.ssh) directory with mode 700, which I think it needs...? Add chmod 700 ~/.ssh ? echo to >>? otherwise someone running your command will get their pre-existing .ssh/config wiped out. I like Tim's answer for one off type things however, if this is a host you intend on connecting to on a regular basis I would create an entry in your ~/.ssh/config (create it if the file does not exist).
# this example shows wildcard for IP # you can even use more than one wildcard 10.0.*.* for example Host 192.168.56.* StrictHostKeyChecking no UserKnownHostsFile /dev/null # you can even alias it, which is really useful when scp'ing/rsyncing foo:/path/to/remote Host foo HostName foo-long-192-10-135-55.hostname.not-going-to-remember.doh StrictHostKeyChecking no UserKnownHostsFile /dev/null Removed both the all the existing keys from known_hosts and Ran it again. This time the right key has been added and no more having the issue.
known_hosts? The user in the question has not yet connected to the host, so the hosts key would not be there.