By default, the SSH client verifies the host key of a remote machine against a local file called known_hosts. Machines which you connect to that aren't already in this local store are automatically added. The idea is that by verifying your remote machine to a list of known, trustworthy machines, you can help alleviate attacks such as a man-in-the-middle (MITM) from a malicious user. There are times, however, when you may wish to connect to a remote machine without storing it's key in the known_hosts file.
When you log into a remote machine and it is unable to find a match in the local store, it will prompt you to verify the fingerprint of the remote as a valid, known host. You may recevie something similar to:
$ ssh sandbox The authenticity of host 'sandbox (10.0.0.10)' can't be established. RSA key fingerprint is 97:8c:1b:f2:6f:14:66:3b:5c:ec:ba:76:13:47:5d:20. Are you sure you want to continue connecting (yes/no)?
By answering yes, the fingerprint will be saved into known_hosts, and future connections will no longer be prompted. Before bypassing this check, please make sure that you are absolutely certain of the remote machine you are connecting to, and you are sure it is harmless.
Assuming you are ready to proceed, you can use the following method, exploiting the StrictHostKeyCheckin and UserKnownHostsFile flags to avoid being prompted.
$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no sandbox Warning: Permanently added '10.0.0.10' (RSA) to the list of known hosts. [email protected]'s password:
In this example, we are tricking SSH into using the bit bucket for the local known hosts store (where the fingerprints will simply be discarded) and to ignore asking for strict verification of the connection. As a result, all connections are viewed as first-time connections for any host but are automatically trusted.
Although it should also be possible to put these configurations in your ssh config file, I would highly recommend against it, as this will expose you to a greater risk of MITM attacks. However, it should be easy enough to created an alias for using unverified ssh when needed:
$ alias ussh='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' $ ussh sandbox