« Back to SSH client configuration

SSH StrictHostKeyChecking option

The SSH client won’t connect to a system when it sees that host key changed since the initial connection it made. This helps against MitM attacks. The client knows when the host key is different by comparing it with the related values in the ~/.ssh/known_hosts file.


ValueAutomatically save new host keysAction if host key changed
askNo, askRefuse
no | offYesConnect

When connecting to many different systems, the accept-new value can help reducing the manual step to accept keys.

Default value

By default this option is set to ask. This is a sane default, that is suitable for most systems.

When to use

Disabling this check is normally not advised, as there is typically a good reason why host keys change. Maybe the system administrator replaced the host keys by another type, but it might also be a deliberate attack. So use this option only in trusted environments where the risks are low.


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon