Disable strict host key checking for DASH

Owned by Daniel Somers
Jul 27, 2023
1 min read

When connecting to dash.duhs.duke.edu, your ssh client is sent by random to one of two login nodes. If you've saved the public ssh host key for one login node in your ssh client's ~/.ssh/known_hosts file and then land on the other login node, your ssh client may complain about mismatched saved host keys. The warning from your ssh client would look like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is

Please contact your system administrator.
Add correct host key in <NetID>/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in <NetID>/.ssh/known_hosts:9
ECDSA host key for dash.duhs.duke.edu has changed and you have requested strict checking.
Host key verification failed.

It is safe to manually edit ~/.ssh/known_hosts to remove the offending line (line 9 in the above example), but the same thing would then recur the next time you've saved one login node's host key and then land on the other login node. It is best to quash the warning permanently with an edit to ~/.ssh/config .

Step-by-step guide

To disable strict host key checking for DASH:

  1. Open your workstation's ~/.ssh/config file in your text editor. You can create the config file if it does not exist. 
  2. Add an entry like this:


Host dash.duhs.duke.edu
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null
        User <NetID>
        LogLevel QUIET