Skip to content
Latchkey

ssh-keyscan: Usage, Options & Common CI Errors

ssh-keyscan collects a server's public host keys so SSH does not prompt in CI.

ssh-keyscan is the fix for "Host key verification failed" in non-interactive CI: fetch the host's keys and append them to known_hosts before connecting, so SSH never stops to ask you to trust the host.

What it does

ssh-keyscan connects to one or more hosts and prints their public SSH host keys in known_hosts format. Appending its output to ~/.ssh/known_hosts pre-trusts the host, eliminating the interactive "Are you sure you want to continue connecting?" prompt that would otherwise hang a CI job.

Common usage

Terminal
ssh-keyscan github.com >> ~/.ssh/known_hosts
ssh-keyscan -H github.com >> ~/.ssh/known_hosts   # hash the hostnames
ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts
ssh-keyscan -p 2222 deploy.example.com >> ~/.ssh/known_hosts
ssh-keyscan -H -t rsa,ed25519 host1 host2 >> ~/.ssh/known_hosts

Options

FlagWhat it does
-HHash hostnames in the output (privacy)
-t <types>Key types to fetch (rsa, ed25519, ecdsa)
-p <port>Non-default SSH port
-T <secs>Connection timeout per host
<host> ...One or more hosts to scan

Common errors in CI

The whole point is to prevent "Host key verification failed." - but ssh-keyscan TOFU (trust-on-first-use) blindly trusts whatever key the host presents, so for high-security flows pin a known fingerprint instead of scanning live. Empty output means the host is unreachable or filtered on port 22 - the >> then writes nothing and SSH still prompts; verify the scan returned keys. Make sure ~/.ssh exists with mode 700 (mkdir -p ~/.ssh && chmod 700 ~/.ssh) or the append fails. For a non-standard port, both the keyscan and the ssh must use the same -p/-p port.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →