ssh-keyscan Command Reference for CI Scripts
ssh-keyscan collects a host\u2019s public SSH keys so you can add them to known_hosts.
ssh-keyscan is the standard way to make ssh and git-over-SSH non-interactive in CI: fetch the host key up front so there is no "trust this host?" prompt to hang the job.
Common flags/usage
- -H: hash the hostnames in the output (recommended)
- -t TYPE: limit to a key type (ed25519, rsa, ecdsa)
- -p PORT: scan a non-default port
- host [host...]: one or more hosts to scan
- append the output to ~/.ssh/known_hosts
Example
shell
mkdir -p "${HOME}/.ssh"
ssh-keyscan -t ed25519 github.com >> "${HOME}/.ssh/known_hosts"
git clone "git@github.com:${ORG}/${REPO}.git"In CI
Pre-seeding known_hosts removes the interactive host-key prompt that otherwise hangs a non-interactive job. For a stronger posture, pin and verify the fingerprint against a published value rather than trusting whatever the network returns, since a blind keyscan trusts the first host that answers. -H hashes hostnames so the file does not leak which hosts you connect to.
Key takeaways
- ssh-keyscan into known_hosts removes the host-key prompt that hangs CI.
- For security, verify the scanned fingerprint against a published value.
- -H hashes hostnames so known_hosts does not leak your connections.
Related guides
ssh Command Reference for CI Scriptsssh opens a secure remote shell or runs a remote command in CI deploys. Reference for -i, -o, BatchMode, and…
scp Command Reference for CI Scriptsscp copies files between hosts over SSH in CI deploys. Reference for -r, -i, and -P, plus the uppercase-port…
rsync Command Reference for CI Scriptsrsync synchronizes files efficiently in CI deploys and cache restores. Reference for -a, -z, --delete, and th…
chmod Command Reference for CI Scriptschmod changes file permissions in CI. Reference for +x, octal modes, -R, and symbolic modes, plus the 600-on-…