ssh-keyscan: Usage, Options & Common CI Errors
ssh-keyscan collects a server's public host keys so SSH does not prompt in CI.
ssh-keyscan is the fix for "Host key verification failed" in non-interactive CI: fetch the host's keys and append them to known_hosts before connecting, so SSH never stops to ask you to trust the host.
What it does
ssh-keyscan connects to one or more hosts and prints their public SSH host keys in known_hosts format. Appending its output to ~/.ssh/known_hosts pre-trusts the host, eliminating the interactive "Are you sure you want to continue connecting?" prompt that would otherwise hang a CI job.
Common usage
ssh-keyscan github.com >> ~/.ssh/known_hosts
ssh-keyscan -H github.com >> ~/.ssh/known_hosts # hash the hostnames
ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts
ssh-keyscan -p 2222 deploy.example.com >> ~/.ssh/known_hosts
ssh-keyscan -H -t rsa,ed25519 host1 host2 >> ~/.ssh/known_hostsOptions
| Flag | What it does |
|---|---|
| -H | Hash hostnames in the output (privacy) |
| -t <types> | Key types to fetch (rsa, ed25519, ecdsa) |
| -p <port> | Non-default SSH port |
| -T <secs> | Connection timeout per host |
| <host> ... | One or more hosts to scan |
Common errors in CI
The whole point is to prevent "Host key verification failed." - but ssh-keyscan TOFU (trust-on-first-use) blindly trusts whatever key the host presents, so for high-security flows pin a known fingerprint instead of scanning live. Empty output means the host is unreachable or filtered on port 22 - the >> then writes nothing and SSH still prompts; verify the scan returned keys. Make sure ~/.ssh exists with mode 700 (mkdir -p ~/.ssh && chmod 700 ~/.ssh) or the append fails. For a non-standard port, both the keyscan and the ssh must use the same -p/-p port.