Don't add hostkey to known_hosts for SSH

I want to connect to a host via SSH but I don't want the hostname to be added to my ~/.ssh/known_hosts.

How can I do that?


Solution 1:

If you want this behavior because you're working with cloud servers (AWS EC2, Rackspace CloudServers etc.) or you're constantly provisioning new images in Vagrant you may want to update your SSH config instead of adding bash aliases or more options on the command line.

Consider adding something like:

Host *.mydomain.com 
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  User foo
  LogLevel QUIET
  • Use as strict as regex for host as possible to be secure.
  • Setting the LogLevel to QUIET will keep the Warning which Guillaume mentioned from showing up

Solution 2:

-o "UserKnownHostsFile=/dev/null"

should work.

Solution 3:

For a single ssh session, use this

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@host

Solution 4:

I feel like adding the host key to your known_hosts (the folks running these services are, in my experience, at least smart enough to keep their host keys consistent between machines serving the same hostname) and then turning on StrictHostKeyChecking, turning off CheckHostIP, and logging with LogLevel ERROR will give you the best experience without sacrificing security. (Ok, without CheckHostIP you do need to trust DNS, which is a huge gaping hole without widespread DNSSEC or something similar; but we'll just sweep that under the rug for the moment.)

I use a read-only known_hosts file, so I have to do something or I get endless warnings about not being able to add entries to known_hosts.

What I use:

Host github.com *.github.com
StrictHostKeyChecking yes
CheckHostIP no
LogLevel ERROR

I would like these services to publish their SSH host keys on their websites via HTTPS, so I can copy them explicitly without having to connect first and potentially expose myself to a MITM attack.