How to Temporarily Bypass SSH Host Key Verification for a Single Connection


2 views

When you encounter the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" message, SSH is protecting you from potential man-in-the-middle attacks. However, there are legitimate cases where you might need to temporarily bypass this check:

# Example warning you might see
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Instead of disabling host key checking entirely, use these targeted approaches:

Method 1: Using -o StrictHostKeyChecking=no

The safest temporary solution is to add a one-time override:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@host

This command:

  • Prevents saving the new key to your known_hosts file
  • Temporarily disables strict checking for this session only

Method 2: Using a Temporary Known Hosts File

Create an empty temporary file for just this connection:

touch /tmp/empty_known_hosts
ssh -o UserKnownHostsFile=/tmp/empty_known_hosts -o StrictHostKeyChecking=no user@host
rm /tmp/empty_known_hosts

Method 3: Removing the Specific Offending Key

The error message tells you exactly which line contains the old key:

# Example from the error message:
Offending RSA key in /Users/alexus/.ssh/known_hosts:155

# Remove just that line:
sed -i '' '155d' ~/.ssh/known_hosts

If you regularly encounter this with known hosts:

For Cloud Environments with Ephemeral IPs

ssh -o StrictHostKeyChecking=accept-new user@host

When Using Host Key Rotation

Create a script to automatically update keys:

#!/bin/bash
HOST="10.52.11.171"
ssh-keygen -R "$HOST"
ssh-keyscan "$HOST" >> ~/.ssh/known_hosts

Remember these important security notes:

  • Never add -o StrictHostKeyChecking=no to your SSH config file
  • In production environments, use proper host key management
  • Consider using SSH certificates instead of host keys for dynamic environments

When you encounter the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" message, SSH is protecting you from potential man-in-the-middle attacks. This occurs when:

  • The server's host key has legitimately changed (common in cloud environments)
  • The server was reinstalled
  • You're connecting to a different machine at the same IP
  • DNS records have changed

For development or testing scenarios where you're certain the change is legitimate:

# Method 1: One-time connection with strict checking disabled
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@host

# Method 2: Remove just the problematic entry
ssh-keygen -R 10.52.11.171  # Remove specific host
ssh-keygen -f ~/.ssh/known_hosts -R 10.52.11.171  # Alternative syntax

For repeated connections during a session, add to ~/.ssh/config:

Host 10.52.11.*
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    LogLevel QUIET

Avoid these methods in production environments. Instead:

  1. Verify the new host key fingerprint with your admin
  2. Manually update known_hosts with ssh-keyscan
# Get the new fingerprint
ssh-keyscan -t rsa 10.52.11.171 >> ~/.ssh/known_hosts

For scripts that need to handle this automatically:

#!/bin/bash
IP="10.52.11.171"
ssh-keygen -R "$IP" >/dev/null 2>&1
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 user@"$IP" || {
    echo "Connection failed even after bypass"
    exit 1
}