prompt to update a host key

Jeremy Lin jeremy.lin at
Fri Mar 15 10:49:04 AEDT 2019

As far as I can tell, there currently isn't a straightforward way to
use password authentication for connecting to hosts where the host key
changes frequently. I realize this is a fairly niche use case, but
when developing software for devices that often get reimaged
(resulting in a host key change), it can get pretty tedious to attempt
to connect, get a warning, remove the old host key via text editor or
"ssh-keygen -R", and then connect again.

I'd like to propose adding a new StrictHostKeyChecking option, named
something like "ask-update" or "ask-to-update". This would be like
"ask", except it would prompt the user to update a host key if it has
changed (after printing a suitably scary warning). When connecting to
an unknown host, it would be equivalent to "ask".

I expect users would enable it explicitly for a limited set of hosts,
e.g. by adding a config section like

Host 192.168.0.*
StrictHostKeyChecking ask-update

If this idea sounds acceptable, I could potentially work on it, but I
don't mind at all if someone else is interested in doing it.


More information about the openssh-unix-dev mailing list