SSH on Linux: Disabling host key checking for hosts on local subnet (known_hosts)

This is the configuration I use for our ever-changing EC2 hosts:

maxim@maxim-desktop:~$ cat ~/.ssh/config Host *amazonaws.com        IdentityFile ~/.ssh/keypair1-openssh        IdentityFile ~/.ssh/keypair2-openssh        User ubuntu        StrictHostKeyChecking no        UserKnownHostsFile /dev/null

This disables host confirmation StrictHostKeyChecking no and also uses a nice hack to prevent ssh from saving the host identify to a persistent file UserKnownHostsFile /dev/null note that as an added value I've added the default user with which to connect to the host and the option to try several different identify private keys.

Assuming you're using OpenSSH, I believe you can set the

CheckHostIP no

option to prevent host IPs from being checked in known_hosts. From the man page:

CheckHostIP

If this flag is set to 'yes', ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to 'no', the check will not be executed. The default is 'yes'.

This took me a while to find. The most common use-case I've seen is when you've got SSH tunnels to remote networks. All the solutions here produced warnings which broke my Nagios scripts.

The option I needed was:

NoHostAuthenticationForLocalhost yes

Which, as the name suggests also only applies to localhost.