ssh StrictHostKeyChecking=no refuse connection when key changed

Anton Shterenlikht mexas at
Mon Apr 28 09:38:05 UTC 2008

On Fri, Apr 25, 2008 at 09:37:13AM -0700, Chuck Swiger wrote:
> On Apr 25, 2008, at 9:09 AM, Anton Shterenlikht wrote:
> >Is it normal that StrictHostKeyChecking=no in .ssh/config
> >still refuses ssh connection when host ID has changed.
> >
> >I've a setup in which host ids change frequently. How
> >can I setup ssh so that it ignores key change.
> You'd be better off fixing whatever it is that is making your host IDs  
> change, but I suppose you  could also try to create a zero-length  
> known_hosts file, and keep it that way via:
>   chflags uchg ~/.ssh/known_hosts
> You might also try to automate finding the current valid hostkeys via  
> ssh-keyscan.

Chuck, perhaps I should explain better what's going on.

I've a VMS cluster behind a FBSD frontend, acting as a router and
a firewall. (Don't ask why.. the Uni are not happy to connect VMS
to the local network directly. Just because they haven't been using
it for 10 year, they think it is not secure - what nonsence, but

I access VMS cluster using ssh with port forwarding. In case a node
in my VMS cluster goes down, its IP is automatically given to another
alive VMS node - a VMS cluster feature. For example:

Imagine the VMS cluster consisting of 2 nodes - Node1 and Node2.
The IP are:

Node1 (failover to
Node2 (failover to

and in ipnat.rules:

rdr dc0 xx.xx.xx.xx port xxxxx -> port 22

This works fine until Node1 is down, in which case the cluster
software directs all connections to to Node2. Since
its key doesn't match what's in known_hosts, the connection is

At present I tune the VMS cluster and reboot individual nodes
frequently. I'd like to be able to tell ssh to ignore key mismatch
at this stage.

many thanks

Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 928 8233 
Fax: +44 (0)117 929 4423

More information about the freebsd-questions mailing list