SSH StrictHostKeyChecking option

The SSH client won’t connect to a system when it sees that host key changed since the initial connection it made. This helps against MitM attacks. The client knows when the host key is different by comparing it with the related values in the ~/.ssh/known_hosts file.

Values

Value	Automatically save new host keys	Action if host key changed
yes	No	Refuse
ask	No, ask	Refuse
accept-new	Yes	Refuse
no \| off	Yes	Connect

When connecting to many different systems, the accept-new value can help reducing the manual step to accept keys.

Default value

By default this option is set to ask. This is a sane default, that is suitable for most systems.

When to use

Disabling this check is normally not advised, as there is typically a good reason why host keys change. Maybe the system administrator replaced the host keys by another type, but it might also be a deliberate attack. So use this option only in trusted environments where the risks are low.

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!