The OpenSSH client writes keys from hosts it has been used with into ~/.ssh/known_hosts. If there is no stored key for a host, the client issues a warning — asks for confirmation of the connection:
ssh bohrg1.man.ac.uk -l simonh The authenticity of host 'server.man.ac.uk (130.88.456.789)' can't be established. RSA key fingerprint is 90:...................................:ab. Are you sure you want to continue connecting (yes/no)?Answering "yes" stores the identification/key and continues the connection. On subsequent connections these stored keys are compared to those newly received; if the hosts identification (key) changes a similar warning is issued — or if StrictHostKeyChecking is set the client will refuse the connect.
These procedures help prevent server spoofing and man-in-the-middle attacks. If StrictHostKeyChecking is set, the only way to connect to a server with a changed identification/key is to manually remove the stored key from ~/.ssh/known_hosts.
...previous | up (conts) | next... |