feat(emr): Improve SSH host key verification with accept-new (#10391)

JasonLEE327 · web-flow · commit 458acc41ec8e · 2026-06-11T09:47:44.000-04:00
EMR SSH/SCP helper commands (ssh, socks, put, get) now default to StrictHostKeyChecking=accept-new for improved host key verification. Uses ssh -G probe to detect support; falls back to =no with warning on OpenSSH < 7.6. New --ssh-options parameter allows passing arbitrary SSH options (space-separated) to override defaults. This provides an escape hatch for legacy clients and addresses #1799.
diff --git a/.changes/next-release/enhancement-emr-34686.json b/.changes/next-release/enhancement-emr-34686.json
@@ -0,0 +1,5 @@
+{
+  "type": "enhancement",
+  "category": "emr",
+  "description": "EMR SSH/SCP helper commands (``aws emr ssh``, ``socks``, ``put``, ``get``) now default to ``StrictHostKeyChecking=accept-new`` for improved host key verification security. A new ``--ssh-options`` parameter allows passing arbitrary SSH options to override defaults. On systems with OpenSSH < 7.6, the CLI automatically falls back to the previous behavior with a warning."
+}
diff --git a/awscli/customizations/emr/ssh.py b/awscli/customizations/emr/ssh.py
@@ -13,6 +13,7 @@
 
 import os
 import subprocess
+import sys
 import tempfile
 
 from awscli.customizations.emr import constants, emrutils, sshutils
@@ -24,6 +25,67 @@
     '"aws configure set emr.key_pair_file <value>" command.\n'
 )
 
+SSH_OPTIONS_HELP_TEXT = (
+    'Additional SSH options passed directly to the ssh/scp command. '
+    'Multiple options can be specified space-separated. Example: '
+    '--ssh-options StrictHostKeyChecking=no ConnectTimeout=30'
+)
+
+DEFAULT_STRICT_HOST_KEY_CHECKING = 'StrictHostKeyChecking=accept-new'
+
+UNSUPPORTED_OPTION_MSG = (
+    'WARNING: Your OpenSSH version does not support '
+    'StrictHostKeyChecking=accept-new (requires OpenSSH 7.6+). '
+    'Falling back to StrictHostKeyChecking=no. '
+    'Upgrade to OpenSSH 7.6+ for improved security.\n'
+)
+
+PUTTY_SSH_OPTIONS_MSG = (
+    'WARNING: --ssh-options is only supported with OpenSSH. '
+    'Options are ignored when using PuTTY/pscp.\n'
+)
+
+
+def _supports_accept_new():
+    """Check if OpenSSH supports StrictHostKeyChecking=accept-new."""
+    try:
+        result = subprocess.run(
+            ['ssh', '-G', '-o', 'StrictHostKeyChecking=accept-new',
+             'localhost'],
+            capture_output=True, text=True,
+        )
+        return result.returncode == 0
+    except (OSError, subprocess.SubprocessError):
+        return False
+
+
+def _has_strict_host_key_override(extra_options):
+    """Check if user provided a StrictHostKeyChecking override."""
+    if not extra_options:
+        return False
+    for opt in extra_options:
+        if opt.lower().startswith('stricthostkeychecking='):
+            return True
+    return False
+
+
+def _build_ssh_options(extra_options):
+    """Build the -o flags list for ssh/scp commands."""
+    options = []
+    if _has_strict_host_key_override(extra_options):
+        for opt in extra_options:
+            options.extend(['-o', opt])
+    else:
+        if _supports_accept_new():
+            options.extend(['-o', DEFAULT_STRICT_HOST_KEY_CHECKING])
+        else:
+            sys.stderr.write(UNSUPPORTED_OPTION_MSG)
+            options.extend(['-o', 'StrictHostKeyChecking=no'])
+        if extra_options:
+            for opt in extra_options:
+                options.extend(['-o', opt])
+    return options
+
 
 class Socks(Command):
     NAME = 'socks'
@@ -42,6 +104,11 @@ class Socks(Command):
             'required': True,
             'help_text': 'Private key file to use for login',
         },
+        {
+            'name': 'ssh-options',
+            'nargs': '+',
+            'help_text': SSH_OPTIONS_HELP_TEXT,
+        },
     ]
 
     def _run_main_command(self, parsed_args, parsed_globals):
@@ -56,28 +123,20 @@ def _run_main_command(self, parsed_args, parsed_globals):
             sshutils.validate_ssh_with_key_file(key_file)
             f = tempfile.NamedTemporaryFile(delete=False)
             if emrutils.which('ssh') or emrutils.which('ssh.exe'):
-                command = [
-                    'ssh',
-                    '-o',
-                    'StrictHostKeyChecking=no',
-                    '-o',
-                    'ServerAliveInterval=10',
-                    '-ND',
-                    '8157',
-                    '-i',
-                    parsed_args.key_pair_file,
+                ssh_options = _build_ssh_options(parsed_args.ssh_options)
+                command = ['ssh'] + ssh_options + [
+                    '-o', 'ServerAliveInterval=10',
+                    '-ND', '8157',
+                    '-i', parsed_args.key_pair_file,
                     constants.SSH_USER + '@' + master_dns,
                 ]
             else:
+                if parsed_args.ssh_options:
+                    sys.stderr.write(PUTTY_SSH_OPTIONS_MSG)
                 command = [
-                    'putty',
-                    '-ssh',
-                    '-i',
-                    parsed_args.key_pair_file,
+                    'putty', '-ssh', '-i', parsed_args.key_pair_file,
                     constants.SSH_USER + '@' + master_dns,
-                    '-N',
-                    '-D',
-                    '8157',
+                    '-N', '-D', '8157',
                 ]
 
             print(' '.join(command))
@@ -105,6 +164,11 @@ class SSH(Command):
             'help_text': 'Private key file to use for login',
         },
         {'name': 'command', 'help_text': 'Command to execute on Master Node'},
+        {
+            'name': 'ssh-options',
+            'nargs': '+',
+            'help_text': SSH_OPTIONS_HELP_TEXT,
+        },
     ]
 
     def _run_main_command(self, parsed_args, parsed_globals):
@@ -118,27 +182,21 @@ def _run_main_command(self, parsed_args, parsed_globals):
         sshutils.validate_ssh_with_key_file(key_file)
         f = tempfile.NamedTemporaryFile(delete=False)
         if emrutils.which('ssh') or emrutils.which('ssh.exe'):
-            command = [
-                'ssh',
-                '-o',
-                'StrictHostKeyChecking=no',
-                '-o',
-                'ServerAliveInterval=10',
-                '-i',
-                parsed_args.key_pair_file,
+            ssh_options = _build_ssh_options(parsed_args.ssh_options)
+            command = ['ssh'] + ssh_options + [
+                '-o', 'ServerAliveInterval=10',
+                '-i', parsed_args.key_pair_file,
                 constants.SSH_USER + '@' + master_dns,
                 '-t',
             ]
             if parsed_args.command:
                 command.append(parsed_args.command)
         else:
+            if parsed_args.ssh_options:
+                sys.stderr.write(PUTTY_SSH_OPTIONS_MSG)
             command = [
-                'putty',
-                '-ssh',
-                '-i',
-                parsed_args.key_pair_file,
-                constants.SSH_USER + '@' + master_dns,
-                '-t',
+                'putty', '-ssh', '-i', parsed_args.key_pair_file,
+                constants.SSH_USER + '@' + master_dns, '-t',
             ]
             if parsed_args.command:
                 f.write(parsed_args.command)
@@ -175,6 +233,11 @@ class Put(Command):
             'help_text': 'Source file path on local machine',
         },
         {'name': 'dest', 'help_text': 'Destination file path on remote host'},
+        {
+            'name': 'ssh-options',
+            'nargs': '+',
+            'help_text': SSH_OPTIONS_HELP_TEXT,
+        },
     ]
 
     def _run_main_command(self, parsed_args, parsed_globals):
@@ -187,27 +250,20 @@ def _run_main_command(self, parsed_args, parsed_globals):
         key_file = parsed_args.key_pair_file
         sshutils.validate_scp_with_key_file(key_file)
         if emrutils.which('scp') or emrutils.which('scp.exe'):
-            command = [
-                'scp',
-                '-r',
-                '-o StrictHostKeyChecking=no',
-                '-i',
-                parsed_args.key_pair_file,
+            ssh_options = _build_ssh_options(parsed_args.ssh_options)
+            command = ['scp', '-r'] + ssh_options + [
+                '-i', parsed_args.key_pair_file,
                 parsed_args.src,
                 constants.SSH_USER + '@' + master_dns,
             ]
         else:
+            if parsed_args.ssh_options:
+                sys.stderr.write(PUTTY_SSH_OPTIONS_MSG)
             command = [
-                'pscp',
-                '-scp',
-                '-r',
-                '-i',
-                parsed_args.key_pair_file,
-                parsed_args.src,
-                constants.SSH_USER + '@' + master_dns,
+                'pscp', '-scp', '-r', '-i', parsed_args.key_pair_file,
+                parsed_args.src, constants.SSH_USER + '@' + master_dns,
             ]
 
-        # if the instance is not terminated
         if parsed_args.dest:
             command[-1] = command[-1] + ":" + parsed_args.dest
         else:
@@ -237,6 +293,11 @@ class Get(Command):
             'help_text': 'Source file path on remote host',
         },
         {'name': 'dest', 'help_text': 'Destination file path on your machine'},
+        {
+            'name': 'ssh-options',
+            'nargs': '+',
+            'help_text': SSH_OPTIONS_HELP_TEXT,
+        },
     ]
 
     def _run_main_command(self, parsed_args, parsed_globals):
@@ -249,21 +310,16 @@ def _run_main_command(self, parsed_args, parsed_globals):
         key_file = parsed_args.key_pair_file
         sshutils.validate_scp_with_key_file(key_file)
         if emrutils.which('scp') or emrutils.which('scp.exe'):
-            command = [
-                'scp',
-                '-r',
-                '-o StrictHostKeyChecking=no',
-                '-i',
-                parsed_args.key_pair_file,
+            ssh_options = _build_ssh_options(parsed_args.ssh_options)
+            command = ['scp', '-r'] + ssh_options + [
+                '-i', parsed_args.key_pair_file,
                 constants.SSH_USER + '@' + master_dns + ':' + parsed_args.src,
             ]
         else:
+            if parsed_args.ssh_options:
+                sys.stderr.write(PUTTY_SSH_OPTIONS_MSG)
             command = [
-                'pscp',
-                '-scp',
-                '-r',
-                '-i',
-                parsed_args.key_pair_file,
+                'pscp', '-scp', '-r', '-i', parsed_args.key_pair_file,
                 constants.SSH_USER + '@' + master_dns + ':' + parsed_args.src,
             ]
 
diff --git a/tests/unit/customizations/emr/test_ssh_host_key.py b/tests/unit/customizations/emr/test_ssh_host_key.py
