Don't add hostkey to known_hosts for SSH

Question

I want to connect to a host via SSH but I don't want the hostname to be added to my ~/.ssh/known_hosts.

How can I do that?

Albert · Accepted Answer · 2021-11-02T14:04:22.340

165

-o "UserKnownHostsFile=/dev/null"

should work.

edited Nov 02 '21 at 14:04

answered May 15 '10 at 00:30

Albert

6,889
11
41
53

score 149 · Answer 2 · answered Jun 07 '12 at 00:28

If you want this behavior because you're working with cloud servers (AWS EC2, Rackspace CloudServers etc.) or you're constantly provisioning new images in Vagrant you may want to update your SSH config instead of adding bash aliases or more options on the command line.

Consider adding something like:

Host *.mydomain.com 
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  User foo
  LogLevel QUIET

Use as strict as regex for host as possible to be secure.
Setting the LogLevel to QUIET will keep the Warning which Guillaume mentioned from showing up

score 34 · Answer 3 · answered Dec 16 '15 at 05:54

34

For a single ssh session, use this

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@host

answered Dec 16 '15 at 05:54

Quanlong

1,330

Kyle Rose · Answer 4 · 2014-08-21T16:32:42.723

I feel like adding the host key to your known_hosts (the folks running these services are, in my experience, at least smart enough to keep their host keys consistent between machines serving the same hostname) and then turning on StrictHostKeyChecking, turning off CheckHostIP, and logging with LogLevel ERROR will give you the best experience without sacrificing security. (Ok, without CheckHostIP you do need to trust DNS, which is a huge gaping hole without widespread DNSSEC or something similar; but we'll just sweep that under the rug for the moment.)

I use a read-only known_hosts file, so I have to do something or I get endless warnings about not being able to add entries to known_hosts.

What I use:

Host github.com *.github.com
StrictHostKeyChecking yes
CheckHostIP no
LogLevel ERROR

I would like these services to publish their SSH host keys on their websites via HTTPS, so I can copy them explicitly without having to connect first and potentially expose myself to a MITM attack.

score 8 · Answer 5 · answered Jan 24 '13 at 00:19

8

I suggest

LogLevel ERROR

over

LogLevel QUIET

so you still get "Could not resolve hostname" and other such errors

answered Jan 24 '13 at 00:19

kiloforce

89

score 1 · Answer 6 · answered May 15 '10 at 00:11

1

Have you tried disabling StrictHostKeyChecking? You can do it with the -o option or in the configuration file ~/.ssh/config.

answered May 15 '10 at 00:11

jneves

307
1
4

score 0 · Answer 7 · answered May 24 '24 at 14:50

With ssh ≥ 8.5 (check version with ssh -V) it is possible to use:

-o "UserKnownHostsFile=none"

Users of older ssh version can use:

-o "UserKnownHostsFile=/dev/null"

The change is documented here: https://bugzilla.mindrot.org/show_bug.cgi?id=2413

score 0 · Answer 8 · answered May 18 '25 at 09:58

0

If your problem is using different hostname for the same image, you can use

-o HostKeyAlias=mysystem

It'll always use the same row in the known_hosts

answered May 18 '25 at 09:58

Antti Rytsölä

381

score 0 · Answer 9 · answered Jan 23 '15 at 09:19

I found the following .ssh/config entries useful (LAN with DHCP and DNS):

 CheckHostIP no

 Host *.*
 CheckHostIP yes

Result is local machine names "zora" or "goron" will not check against dynamically assigned IP addresses, but www.mycompany.com or node42.planetlab.com will still have their static IPs confirmed.

Don't add hostkey to known_hosts for SSH

9 Answers9