Skip to content
Latchkey

ssh-keyscan Command Reference for CI Scripts

ssh-keyscan collects a host\u2019s public SSH keys so you can add them to known_hosts.

ssh-keyscan is the standard way to make ssh and git-over-SSH non-interactive in CI: fetch the host key up front so there is no "trust this host?" prompt to hang the job.

Common flags/usage

  • -H: hash the hostnames in the output (recommended)
  • -t TYPE: limit to a key type (ed25519, rsa, ecdsa)
  • -p PORT: scan a non-default port
  • host [host...]: one or more hosts to scan
  • append the output to ~/.ssh/known_hosts

Example

shell
mkdir -p "${HOME}/.ssh"
ssh-keyscan -t ed25519 github.com >> "${HOME}/.ssh/known_hosts"
git clone "git@github.com:${ORG}/${REPO}.git"

In CI

Pre-seeding known_hosts removes the interactive host-key prompt that otherwise hangs a non-interactive job. For a stronger posture, pin and verify the fingerprint against a published value rather than trusting whatever the network returns, since a blind keyscan trusts the first host that answers. -H hashes hostnames so the file does not leak which hosts you connect to.

Key takeaways

  • ssh-keyscan into known_hosts removes the host-key prompt that hangs CI.
  • For security, verify the scanned fingerprint against a published value.
  • -H hashes hostnames so known_hosts does not leak your connections.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →