How to Automatically Cache SSH Host Key in Plink for Non-Interactive Scripts


2 views

When using plink.exe (PuTTY Link) to establish SSH connections programmatically, you'll encounter host key verification prompts if the server's key isn't cached. This security feature becomes problematic when running automated scripts that can't handle interactive prompts.

C:\>plink -ssh user@example.com
The server's host key is not cached in the registry...
Store key in cache? (y/n)

Plink provides the -batch flag to suppress all interactive prompts. However, this causes the connection to fail when encountering an unknown host key:

plink -batch -ssh user@example.com echo "test"
FATAL ERROR: Server's host key is not cached in registry

The robust solution involves pre-caching the host key before script execution. Here are two methods:

Method 1: Manual Cache Initialization

Run an initial interactive connection to cache the key:

plink -ssh user@example.com exit
# Respond 'y' to cache the key
# Subsequent calls will work non-interactively

Method 2: Registry Import

For fully automated deployments, import the host key directly into the Windows Registry:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys]
"rsa2@22:example.com"="0x1234,0x5678,..."

For maximum security in automation, specify the expected host key fingerprint:

plink -batch -hostkey aa:bb:cc:... -ssh user@example.com command

Port conflicts: Remember to specify non-standard ports with -P flag

Key format: PuTTY stores keys in its own format, different from OpenSSH

Registry permissions: Ensure your script has write access to HKCU

@echo off
:: First connection to cache key (only needed once)
plink -ssh user@example.com exit < y.txt

:: Subsequent automated commands
plink -batch -ssh user@example.com "ls -l"
plink -batch -ssh user@example.com "df -h"

Where y.txt contains just the letter 'y' to automatically respond to the prompt.

When automating SSH connections using Plink (PuTTY Link), the host key verification prompt becomes a significant obstacle for non-interactive scripts. The security check that normally protects users becomes a blocker in automated workflows.

Before bypassing security measures, it's crucial to understand what host key verification protects against:

  • Man-in-the-middle attacks
  • Server impersonation
  • Connection hijacking

The primary solution is to use Plink's -batch flag which suppresses all interactive prompts:

plink -batch username@hostname command_to_execute

However, this will fail on first connection as the host key isn't cached, which brings us to the complete solution.

For a fully automated solution, you need to either:

  1. Pre-cache the host key using a one-time manual connection
  2. Use the following command to automatically accept the host key:
echo y | plink -batch -ssh username@hostname command

For Windows systems, you can directly add the host key to PuTTY's registry cache:

reg add HKCU\Software\SimonTatham\PuTTY\SshHostKeys /v rsa2@hostname:22 /t REG_SZ /d 0x23,0xab,... /f

Replace the hex values with your actual host key fingerprint.

For more complex scenarios, consider using Pageant (PuTTY authentication agent) to manage your keys:

pageant keyfile.ppk
plink -agent -batch username@hostname command

When automating SSH connections:

  • Always verify host keys manually first
  • Restrict command execution on remote hosts
  • Use limited privilege accounts
  • Monitor connection logs

If you still encounter problems:

plink -v -batch username@hostname command

The -v flag provides verbose output to diagnose connection issues.