By default SSH stores fingerprints for servers it knows about in
If you have ephemeral hosts ( containers, virtual machines, elastic clusters ), then you might not want to fill the file up with temporary machines.
Some time ago OpenSSH added the
UserKnownHostsFile option where you can choose a different file.
If you also set
HashKnownHosts to no for the temporary files it’s easy to clean up after the ephemeral host goes away.
ssh -o UserKnownHostsFile=~/.ssh/known_hosts_tmp -o HashKnownHosts=no tmphost
That example would put the fingerprint for
~/.ssh/known_hosts_tmp rather than the defaul file.
The entry in
~/.ssh/known_hosts_tmp would include
tmphost, so easy enough to find and delete when
tmphost is deleted.
It would also leave normal ssh alone, so you could still hash hostnames in your default known_hosts file.
Some peaple suggest setting
StrictHostKeyChecking to no and not using a known_hosts file.
Please don’t do that.
If you’re not checking keys, then you’re open to a man in the middle attack.
Your network isn’t as secure as you think it is.
Also, typos happen.