When automating Git operations via SSH, you'll often encounter the host verification prompt:
The authenticity of host 'bitbucket.org (207.223.240.182)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)?This interactive prompt breaks automation workflows in CI/CD pipelines, cron jobs, or any non-interactive environment.
The most reliable solution is to pre-populate your ~/.ssh/known_hosts file with the host's fingerprint before running Git commands. Here's how:
# Scan and add the host's key to known_hosts
ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts
# Verify the fingerprint matches what you expect
ssh-keygen -lf <(ssh-keyscan bitbucket.org 2>/dev/null)For complete automation in scripts, combine these commands:
#!/bin/bash
# Define the host you want to connect to
HOST="bitbucket.org"
# Add to known_hosts if not already present
if ! ssh-keygen -F "$HOST" >/dev/null; then
ssh-keyscan "$HOST" >> ~/.ssh/known_hosts
fi
# Now you can run git commands non-interactively
git clone git@$HOST:user/repo.gitFor environments with multiple Git hosts, create a setup script:
#!/bin/bash
# List of Git hosts to trust
HOSTS=("github.com" "bitbucket.org" "gitlab.com")
for host in "${HOSTS[@]}"; do
if ! ssh-keygen -F "$host" >/dev/null; then
echo "Adding $host to known_hosts"
ssh-keyscan "$host" >> ~/.ssh/known_hosts 2>/dev/null
fi
doneWhile automating host verification is convenient, consider these security best practices:
- Verify fingerprints manually the first time
- Use
ssh-keyscan -Hto hash hostnames in known_hosts - Regularly audit your known_hosts file
- Consider using SSH certificate authorities for large deployments
As a last resort (not recommended for production), you can disable strict host checking:
# In your SSH config (~/.ssh/config)
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/nullThis approach completely bypasses host verification and should only be used in test environments where security isn't a concern.
When automating Git operations via SSH, you'll encounter the host verification prompt:
The authenticity of host 'github.com (140.82.121.3)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)?
This breaks automation scripts and CI/CD pipelines that need to clone repositories non-interactively.
The most robust solution is to pre-populate your ~/.ssh/known_hosts file with the host's fingerprints before running Git commands. Here's how:
# For GitHub example:
ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> ~/.ssh/known_hosts
This command fetches all supported key types and appends them to your known_hosts file.
For temporary solutions in trusted environments, you can disable strict host checking:
GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no" git clone git@github.com:user/repo.git
Or configure it in your SSH config:
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
For CI/CD systems, create a script to handle multiple Git providers:
#!/bin/bash
# List of hosts to trust
HOSTS=("github.com" "gitlab.com" "bitbucket.org")
for host in "${HOSTS[@]}"; do
ssh-keyscan -t rsa,ecdsa,ed25519 "$host" >> ~/.ssh/known_hosts
done
# Now run your Git commands
git clone git@github.com:user/repo.git
For production environments, verify fingerprints against official sources:
# GitHub's published fingerprints:
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
KNOWN_FINGERPRINTS=(
"github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"
"github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg="
)
for fp in "${KNOWN_FINGERPRINTS[@]}"; do
if ! grep -q "$fp" ~/.ssh/known_hosts; then
echo "$fp" >> ~/.ssh/known_hosts
fi
done
For Docker builds, you'll need to either:
- Pre-build an image with known_hosts populated
- Add the ssh-keyscan step in your Dockerfile
RUN mkdir -p ~/.ssh && \
ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> ~/.ssh/known_hosts