Temporarily ignore my `~/.ssh/known_hosts` file?

ssh linux

Is there a way to temporarily ignore my ~/.ssh/known_hostsfile?

mbp:~ alexus$ ssh 10.52.11.171
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /Users/alexus/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/alexus/.ssh/known_hosts:155
RSA host key for 10.52.11.171 has changed and you have requested strict checking.
Host key verification failed.
mbp:~ alexus$

NOTE:

.. by a few answer(s)/comment(s) i realize that my question is a bit misleading, so short it is expected behavior), so it's normal (in my case) there is a valid reason behind it on why I want to see "ignore it")


You can use ssh -o StrictHostKeyChecking=no to turn off checking known_hosts momentarily. But I'd advise against this. You should really check why the host key has changed.

Another option is to add a specific entry to your ~/.ssh/config for the host in question. This might be valid approach if you have a certain host which generates new host keys every time it reboots and it gets rebooted for a valid reason several times a day.

Host <your problematic host>
  StrictHostKeyChecking no

To completely ignore your known hosts file in a POSIX environment, set the GlobalKnownHostsFile and UserKnownHostsFile options to /dev/null:

ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null user@host

Setting the StrictHostKeyChecking=no option will allow you to connect but SSH will still show a warning:

ssh -o StrictHostKeyChecking=no user@host

As others have noted, it's probably better to address the underlying issue. You could consider SSH certificate authentication to verify hosts, for example.


If you have reinstalled the server and therefore the Identification has changed, you should just delete the specified line 155 from /Users/alexus/.ssh/known_hosts and go ahead.

If you switch between different private networks, you should use hostnames to connect instead, as the ssh client will also save keys depending on the hostname. Add something like this to your /etc/hosts:

10.52.11.171 server1
10.52.11.171 server2

and then use ssh server1 when connected to subnet 1 and ssh server2 when connected to subnet2. This way, both servers can have different hostkeys.


-o StrictHostKeyChecking=no only works if host isn't already present in known_hosts file.

I think it is cleaner (no warnings), if you expect hosts key to change maybe due to vm cloning, to enforce ignoring of those kind of hosts like this:

# Handle possible SSH key changes
host_key=$(ssh-keyscan -t rsa ${host_ip})
grep "${host_key}" ~/.ssh/known_hosts >/dev/null || {
    ssh-keygen -R ${host_ip}
    echo ${host_key} >>  ~/.ssh/known_hosts
}

# connect as normal way
ssh root@${host_ip} "hostname"

Related

How to get TX/RX bytes without ifconfig?
How does a team of Systems Administrators share passwords securely?
swap partition vs file for performance?
How to change fontFamily of TextView in Android
What is a mutex?
Fetch: POST JSON data
What is a lambda (function)?
LINQ equivalent of foreach for IEnumerable<T>
Is there a link to the "latest" jQuery library on Google APIs? [duplicate]
Git asks for username every time I push
How to generate a random string in Ruby
Node.js Best Practice Exception Handling