HELP: Host key verification mode or host key fingerprint [STRICT] TYPE: STRING SYNTAX: HOSTKEYCHECK='str'/STRICT/ASK/WARN/ACCEPTANY
When an SSH client connects to an SSH server, the server identifies itself by sending its public key. It is an essential part of the security of SSH that the client must validate the server's public key to make sure that it belongs to the intended (trusted) host and not to an eavesdropper / man-in-the-middle.
The file in <HOME>/.ssh/known_hosts is used to store combinations of trusted hosts and their public keys. Entries to this file can be added manually or can be added when establishing a connection for the first time. In any case, you should have verified the host keys you add belong to the indended party. The known hosts file format is identical and fully compatible to the known_hosts format of OpenSSH.
The HOSTKEYCHECK selection is used to specify how strict the host key sent by the server is verified to decide whether to continue connecting and whether to add the key to the known_hosts file.
Here are the available options in descending order of security:
<Fingerprint>
- You can specify a specific fingerprint that must
match the public key sent by the server. If it does not, the connection
is terminated. If the key is not in the known hosts file, it is added.
Hence, this mode is also suitable to add a host key to the known_hosts
file upon first connection to a host in an environment where you cannot
manually verify the host key (e.g. in a batch job), but without accepting
any (potentially untrusted) arbitrary key.
The fingerprint is a hexadecimal MD5 checksum of the
host's public key with bytes separated by colons (e.g.
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff). It is always printed
to the log (INFO level) when connecting.STRICT
- The host key sent by the server must match one of the keys
that are stored in the known_hosts file for this host. Otherwise, the
connection is terminated, which includes new/unknown hosts.ASK
- Like STRICT, but prints an interactive prompt when connecting
to a server for the first time and offers to add the known_hosts entry
after you confirm the key's authenticity.WARN
- Connecting will continue even if the server sends an unknown
host key. If no matching known_hosts entry exists, a warning is printed
to the log about the connection being potentially compromised.ACCEPTANY
- Like WARN, but additionally adds the host key to the
known_hosts file if no such entry exists. Hence, you explicitly trust
any key that the server sends which also extends to future connections
in STRICT mode.Don't use host key check levels below ASK unless you know what you are doing. By allowing arbitrary host keys, your connections can be intercepted easily.
STRICT - Verify host key against known_hosts, abort if not present or on host key mismatch
ASK - Like STRICT, but asks when the key is not present (interactive)
WARN - Prints a warning when there is no matching entry in known_hosts file, but continues (unsafe)
ACCEPTANY - Accepts any host key and adds it to known_hosts if not present (unsafe)