I am trying to run an automation script using sshpass to provide a password for SSH authentication. However, I keep getting a message saying it's not possible because "Host Key checking is enabled." I understand that SSH wants to verify the server's identity, but since I am running this in a CI/CD pipeline, I can't manually type "yes" to accept the fingerprint. What is the safest way to bypass this check in an automated environment, or is there a way to pre-populate the known_hosts file?
3 answers
This error occurs because sshpass is not designed to handle interactive prompts, such as the one asking you to "trust" a new host. The most secure way to fix this is to pre-populate your ~/.ssh/known_hosts file using the ssh-keyscan command. By running ssh-keyscan -H <your-server-ip> >> ~/.ssh/known_hosts before your main script, you verify the host identity once, and sshpass will then proceed without the prompt. If you are in a completely private and secure environment and just need it to work quickly, you can disable the check by adding the argument -o StrictHostKeyChecking=no to your SSH command, or by setting the environment variable ANSIBLE_HOST_KEY_CHECKING=False if you are using Ansible.
I tried setting StrictHostKeyChecking=no, but now I'm getting a "Permission denied" error. Does sshpass work differently if the server has password authentication disabled in sshd_config?
For Ansible users, the easiest fix is adding host_key_checking = False to your ansible.cfg file. It’s less secure, but it fixes the "sshpass" issue immediately for large-scale deployments.
True, Sarah, but I always warn people: disabling host key checking opens you up to "Man-in-the-Middle" attacks. If you're on the public internet, always use the ssh-keyscan method Elena mentioned instead!
Exactly, Kevin. sshpass only works if the remote server allows PasswordAuthentication. If the server is configured to only allow PublickeyAuthentication, no amount of password-passing will work. Also, check if your user account is locked or if the password has expired. In many enterprise environments, the "Host Key" error is just the first hurdle; the second is often a strict SSH configuration that forbids passwords entirely for security reasons.