HowTo: Disable SSH Host Key Checking

By default, the SSH client verifies the identity of the host to which it connects.

If the remote host key is unknown to your SSH client, you would be asked to accept it by typing “yes” or “no”.

This could cause a trouble when running from script that automatically connects to a remote host over SSH protocol.

Cool Tip: Slow SSH login? Password prompt takes too long? You can easily remove the delay! Read more →

This article explains how to bypass this verification step by disabling host key checking.

The Authenticity Of Host Can’t Be Established

When you log into a remote host that you have never connected before, the remote host key is most likely unknown to your SSH client, and you would be asked to confirm its fingerprint:

The authenticity of host ***** can't be established.
RSA key fingerprint is *****.
Are you sure you want to continue connecting (yes/no)?

If your answer is ‘yes’, the SSH client continues login, and stores the host key locally in the file ~/.ssh/known_hosts.

If your answer is ‘no’, the connection will be terminated.

If you would like to bypass this verification step, you can set the “StrictHostKeyChecking” option to “no” on the command line:

$ ssh -o "StrictHostKeyChecking=no" user@host

This option disables the prompt and automatically adds the host key to the ~/.ssh/known_hosts file.

Remote Host Identification Has Changed

However, even with “StrictHostKeyChecking=no“, you may be refused to connect with the following warning message:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for ***** has changed and you have requested strict checking.
Host key verification failed.

If you are sure that it is harmless and the remote host key has been changed in a legitimate way, you can skip the host key checking by sending the key to a null known_hosts file:

$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" user@host

You can also set these options permanently in ~/.ssh/config (for the current user) or in /etc/ssh/ssh_config (for all users).

Cool Tip: Log in to a remote Linux server without entering password! Set up password-less SSH login! Read more →

Also the option can be set either for the all hosts or for a given set of IP addresses.

Disable SSH host key checking for all hosts

Host *
   StrictHostKeyChecking no

Disable SSH host key checking For

Host 192.168.0.*
   StrictHostKeyChecking no

13 Replies to “HowTo: Disable SSH Host Key Checking”

  1. Exactly what I needed. Thx for posting.

  2. Well explained.

  3. I was looking for a way to disable host checking from Python’s pexpect. -o “UserKnownHostsFile=/dev/null” did the job. Thank you.

  4. Feels like it’s a little irresponsible to tell people to do this without warning them of the dangers of doing so…

  5. Thanks!

  6. Thanks for this post, is exactly what I need.

  7. Note: It is one thing to do this to allow a local IP address such as above 192.168.x.x but it risky to do with a remote host etc.. I would probably just edit ~/.ssh/known_hosts or wipe the file and start over if I am seeing the messages above.

  8. Thanks

  9. I was having big issues trying to backup to 2 nas drives that were swapped out daily which were on the same ip.

    This fixed my problem nicely. Many thanks

  10. Thanks for this little HowTo 🙂
    Should anybody drop by using Windows you can use NUL instead of /dev/null, like UserKnownHostsFile=NUL for dropping any new hosts.

    1. It creates file named NUL I can’t delete… 🙁

  11. One more suggesting for scripting. In order to reduce noisiness add
    -o “LogLevel=ERROR”
    This will eliminate repeated messages like “Warning: Permanently added ‘’ (ECDSA) to the list of known hosts.”

  12. !!!Warning!!! In the config file, entering the IP address of a host and then connecting via a hostname doesn’t seem to work (for me on Linux Mint 20). The “Host” heading must textually match the ‘host’ used in the ssh command.
    > cat ~/.ssh/config
    > ssh user@localhost
    does not work.

Leave a Reply