ssh - Can I pass RSA hostkey of server as PuTTY command line option?

Question

Do we have option on PuTTY command line to send RSA hostkey as an argument similar to WinSCP -hostkey.?

PuTTY command currently used:

putty.exe -ssh -l username -pw password -m command.txt RemoteServerIP

Is there a option like WinSCP where RSA hostkey can be passed just like below:

open sftp://username :password@RemoteServerIP/ -hostkey="ssh-rsa 2048 11:2c:5d:f5:22:22:ab:12:3a:be:37:1c:cd:f6:13:d1"

---

Also let me know, if my option of using PuTTY for this task is a bad option.

---

Detailed explanation for those who are interested to know entire background:

• I have developed a Django application to kick off some remote scripts and get the task done. This uses putty ssh to run commands at the background using subprocess module, parameters are passed from the Djangofront end.

  Problem I am facing is, There are multiple users who will use this application to kick off their scripts. Only requirement is they have to store IP address and RSA key of the server on a config file on Django Server.

  Since all of the servers use RSA key, for the first login it asks to confirm the RSA fingerprint storage prompt.

  Usually when we kick off this manually from our local machine we give Yes, for the first time. and subsequent runs it won't ask for the confirmation.

  Since these scripts will be running from a DjangoServer where users won't have access, is there a way I can still be able to run the remote scripts using putty?

  Please note I am aware of kicking off script using WinSCP but unfortunately in our environment I cannot kickoff Scripts from WinSCP, but I can FTP using WinSCP and I use hostkey option so it does not prompt for confirmation

Answer 1

There are several ways of dealing with SSH/SCP/SFTP host key verification.

One way is described in this answer to a similar question on ServerFault. Echo y or n depending on whether you do or don't want the key added to the cache in the registry. Redirect the error output stream to suppress the notification messages.

echo 'y' | plink -l USERNAME HOSTNAME 'COMMANDLINE' 2>$null   # cache host key
echo 'n' | plink -l USERNAME HOSTNAME 'COMMANDLINE' 2>$null   # do not cache host key

Note, however, that this will fail if you don't want to cache the key and use batch mode:

echo 'n' | plink -batch -l USERNAME HOSTNAME 'COMMANDLINE'   # this won't work!

Note, however, that this approach essentially disables the host key verification, which was put in place to protect from man-in-the-middle attacks. Which is to say that automatically accepting host keys from arbitrary remote hosts is NOT RECOMMENDED.

Better alternatives to automatically accepting arbitrary host keys would be:

• Saving a PuTTY session for which you already validated the host key, so you can re-use it from plink like this:

  plink -load SESSION_NAME 'COMMANDLINE'
  

• Pre-caching the host key in the registry prior to running plink. There is a Python script that can convert a key in OpenSSH known_hosts format to a registry file that you can import on Windows if you don't want to manually open a session and verify the fingerprint.

• Providing the fingerprint of the server's host key when running plink:

  $user   = 'USERNAME'
  $server = 'HOSTNAME'
  $cmd    = 'COMMANDLINE'
  $fpr    = 'fa:38:b6:f2:a3:...'
  plink -batch -hostkey $fpr -l $user $server $cmd
  

All of these assume that you obtained the relevant information via a secure channel and properly verified it, of course.