When automating file transfers with scp in restricted environments, the SSH known_hosts verification can become a roadblock. System administrators often face this when:
- Connecting to ephemeral cloud instances with changing host keys
- Working in CI/CD pipelines with temporary infrastructure
- Operating in locked-down environments without config file access
Unlike regular ssh commands, scp inherits strict host key checking from SSH. The default behavior will abort the transfer if:
# This will fail if host key isn't in known_hosts
scp file.txt user@new-server:/path/
When you can't modify ~/.ssh/config or /etc/ssh/ssh_config, try these approaches:
# Method 1: Environment variable override
SSH_OPTIONS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
scp $SSH_OPTIONS file.txt user@host:/path/
# Method 2: Direct SSH option passing
scp -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" file.txt user@host:/path/
While convenient, these methods disable important MITM protection. Consider these safer alternatives where possible:
# Temporary known_hosts approach
TMP_KNOWN_HOSTS=$(mktemp)
ssh-keyscan -H target-host >> $TMP_KNOWN_HOSTS
scp -o "UserKnownHostsFile=$TMP_KNOWN_HOSTS" file.txt user@host:/path/
rm $TMP_KNOWN_HOSTS
For scripting scenarios, this wrapper function provides both safety and convenience:
function safe_scp() {
local tmp_file=$(mktemp)
if ssh-keyscan -H "$2" > "$tmp_file" 2>/dev/null; then
scp -o "UserKnownHostsFile=$tmp_file" "$1" "$2"
local status=$?
rm -f "$tmp_file"
return $status
else
rm -f "$tmp_file"
echo "Host key verification failed" >&2
return 1
fi
}
# Usage:
safe_scp ./file.txt user@new-server:/path/
When automating SSH operations in restricted environments, you might encounter situations where:
- You can't modify
~/.ssh/known_hosts - You don't have access to
/etc/ssh/ssh_config - Strict host key checking blocks your automation scripts
Here are several methods to handle this scenario programmatically:
1. Using SSH Command-Line Options
The most straightforward approach is using SSH's built-in options:
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@host
This combination:
- Disables strict host key checking
- Writes host keys to
/dev/nullinstead ofknown_hosts
2. SCP Specific Solution
For SCP operations, the same principle applies:
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null file.txt user@host:/path/
3. Environment Variable Approach
Set these variables before running SSH/SCP commands:
export SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
scp $SSH_OPTS file.txt user@host:/path/
For production environments, consider these robust approaches:
Python Paramiko Example
import paramiko
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect('hostname', username='user', password='pass')
Bash Function Wrapper
function safe_scp() {
scp -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
-o LogLevel=ERROR \
"$@"
}
safe_scp file.txt user@host:/path/
While these solutions work, be aware of the security implications:
- Disabling host key verification makes you vulnerable to MITM attacks
- Only use these methods in controlled environments
- For production systems, prefer proper host key management