The OpenSSH client writes keys from hosts it has been used with into ~/.ssh/known_hosts. If there is no stored key for a host, the client issues a warning — asks for confirmation of the connection:
ssh bohrg1.man.ac.uk -l simonh
The authenticity of host 'server.man.ac.uk (130.88.456.789)' can't be established.
RSA key fingerprint is 90:...................................:ab.
Are you sure you want to continue connecting (yes/no)?
Answering "yes" stores the identification/key and continues the
connection. On subsequent connections these stored keys are
compared to those newly received; if the hosts identification (key)
changes a similar warning is issued — or if StrictHostKeyChecking
is set the client will refuse the connect.
These procedures help prevent server spoofing and man-in-the-middle attacks. If StrictHostKeyChecking is set, the only way to connect to a server with a changed identification/key is to manually remove the stored key from ~/.ssh/known_hosts.
| ...previous | up (conts) | next... |