GuidesDownloads
GuidesAnnouncementsDiscussions
GuidesDownloadsLog In

SSH options

Specify security settings for SSH connections

Suggest Edits

Host key checking

ES.IO verifies the keys of remote SSH hosts it connects to, and refuses to authenticate hosts for which keys do not match the contents of the known_hosts file.

Known hosts file location

By default, ES.IO uses the ~/.ssh/known_hosts file for the user executing the program, but you can provide a specific location:

ssh_options known_hosts: "/path/to/<known_hosts_file>"

Host key checking modes

In the standard checking mode, ES.IO trusts the host and cache its keys when it connects for the first time (Trust On First Use). It will then refuse to connect if the host keys have changed.

In the strict mode, ES.IO won't trust an host without valid keys present in the known_hosts file. It refuses to connect both hosts with invalid keys and unknown hosts.

# Trust on first use, default behavior
ssh_options host_key_checking: "standard"

# Strict verification
ssh_options host_key_checking: "strict"

Refresh keys in the known_hosts file

ES.IO allows you to keep track of key changes on the remote hosts from the command line. This is especially useful to initially download keys when using the strict key checking with new hosts, or to refresh the key cache when one of the host keys has legitimately changed.

By default, ES.IO shows the keys and fingerprints for all hosts in your Sheepfile and asks for confirmation before applying changes to the known_hosts file:

electric_sheep hostkeys

To bypass the confirmation and forcefully replace keys:

electric_sheep hostkeys -y

See the Command Line Reference.

Updated less than a minute ago