Normally, when you SSH to a new server, you’ll get a message that looks like this:
The authenticity of host ***** can't be established.
RSA key fingerprint is *****.
Are you sure you want to continue connecting (yes/no)?
This becomes annoying when you’re testing new server setups and you’re quickly building and tearing down new servers.
This message is mostly controlled by the StrictHostKeyChecking setting in your ~/.ssh/config file.
There are many recommendations on the web to simply disable StrictHostKeyChecking like this:
StrictHostKeyChecking no
However, the reason you get the message in the first place is to prevent man-in-the-middle attacks. Without StrictHostKeyChecking, the host will be added to your known_hosts file automatically with a message that is easily missed.
The above config will still result in a warning about key changes, so another suggestion for when you really trust that you’re connecting to the correct host is to do this:
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
This is the most convenient, but the least secure, disabling all host key checking and sending keys into the ether! This is perfectly fine for servers that you’re constantly creating and tearing down for experiments.
But:
Checking the ssh_config man page, there is another option!
StrictHostKeyChecking accept-new
This option automatically adds new host keys to your known hosts, but won’t connect to hosts with changed keys. On a per-host configuration in an ~/.ssh/config file, it looks like this:
Host somehost
IdentityFile ~/.ssh/mykey.pem
IdentitiesOnly yes
User someuser
HostName an.ip.add.ress
StrictHostKeyChecking accept-new
StrictHostKeyChecking options
Here are all the options for StrictHostKeyChecking:
| flag | Add keys automatically? | Connect to hosts with changed host key? |
|---|---|---|
| yes | Never | No |
| ask | Yes, w/confimation | No |
| accept-new | Yes | No |
| no/off | Yes | Yes, w/restrictions |