How to Enable StrictHostKeyChecking in SSH

August 20, 2025 / Security and Backup

This guide explains how to enable StrictHostKeyChecking in SSH to ensure connections are only made to verified servers.

When connecting to a new server, the StrictHostKeyChecking setting determines whether an SSH client will accept a host key automatically. Enabling it reduces the risk of man-in-the-middle (MITM) attacks by preventing connections to untrusted or modified hosts to improve security.

Understanding StrictHostKeyChecking Modes:

  • yes – SSH will refuse connections to new hosts and to hosts with changed keys.
  • no – SSH will automatically accept all host keys (not recommended).
  • ask – SSH will prompt the user before accepting a new or changed key (default on many systems).

In this article, we focus on enforcing yes for maximum security.

Enabling StrictHostKeyChecking
You can apply this setting temporarily for a single connection or permanently for all future sessions.

  1. Temporary (Single Session)
    Run this command to connect with StrictHostKeyChecking enabled:

    ssh -o StrictHostKeyChecking=yes user@hostname

    Replace user with your SSH username and hostname with the server’s IP address or domain.

  2. Permanent (All Future Sessions)
    1. Open the SSH client configuration file:
      nano ~/.ssh/config

      (Create the file if it doesn’t exist.)

    2. Add the following lines to enforce host key checking for all hosts:
      Host *
          StrictHostKeyChecking yes
    3. Save and exit the editor (CTRL+O, ENTER, CTRL+X in nano).
    4. Secure the SSH config file with the correct permissions:
      chmod 600 ~/.ssh/config

Notes and Best Practices:

  • When connecting to a new host, manually add its key to the known_hosts file:
    ssh-keyscan hostname >> ~/.ssh/known_hosts
  • Use StrictHostKeyChecking=yes in production or secure environments to avoid connecting to unverified servers.
  • Be aware: if a server’s host key changes, SSH will block access until the updated key is verified and added. Always confirm changes with your hosting provider.

In this way, you can enable StrictHostKeyChecking in SSH, either for a single session or permanently, to ensure you only connect to verified servers and minimise the risk of connecting to compromised or malicious systems.

Securing SSH connections and protecting remote server access?
A Linux VPS Hosting solution gives you full control over SSH security settings, user access and server administration to help safeguard your infrastructure.

Want easier access control for your hosting? Learn How to manage SSH keys in cPanel

Spread the love