当使用 StrictHostKeyChecking=no 运行 ssh 时,它应该始终接受已更改的密钥。但是,在我的情况下并非如此。这在手册页 (ssh-config) 中有记录:
StrictHostKeyChecking
If this flag is set to yes, ssh(1) will never automatically
add host keys to the ~/.ssh/known_hosts file, and refuses
to connect to hosts whose host key has changed. This
provides maximum protection against man-in-the-middle
(MITM) attacks, though it can be annoying when the
/etc/ssh/ssh_known_hosts file is poorly maintained or when
connections to new hosts are frequently made. This option
forces the user to manually add all new hosts.
If this flag is set to “accept-new” then ssh will
automatically add new host keys to the user's known_hosts
file, but will not permit connections to hosts with changed
host keys. If this flag is set to “no” or “off”, ssh will
automatically add new host keys to the user known hosts
files and allow connections to hosts with changed hostkeys
to proceed, subject to some restrictions. If this flag is
set to ask (the default), new host keys will be added to
the user known host files only after the user has confirmed
that is what they really want to do, and ssh will refuse to
connect to hosts whose host key has changed. The host keys
of known hosts will be verified automatically in all cases.
本节相关内容: 如果此标志设置为“不”或“关闭”,ssh 将自动将新主机密钥添加到用户已知的主机文件中,并允许连接到已更改主机密钥的主机 继续,受到一些限制。
提到的限制是什么?
答案1
我只能根据自己的经验说说。您将无法通过该连接打开远程隧道。无论是否设置该ExitOnForwardFailure=no选项,都会发生这种情况,在这种情况下,设置为此选项yes将立即终止连接。因此,看来 SSH 客户端仍将有问题的known_host条目视为错误。
如果还有更多限制,我就说不清楚了。