If you have servers that change their IP address, you’ve probably already been used to the following SSH warning:
The authenticity of host '22.214.171.124 (126.96.36.199)' can't be established. ... Are you sure you want to continue connecting (yes/no)? yes
Besides from being annoying, it is also a security risk to blindly accept this warning and continue connecting. And be honest — almost none of us check the fingerprint in advance every time.
A common scenario for this use case is when you have an EC2 server in Amazon AWS which you temporarily stop and then start, in order to cut costs. I have a backup server which I use in this way.
In order to securely avoid this SSH warning and still be sure that you connect to your trusted server, you have to save the fingerprint in a separate file and update the IP address in it every time before you connect. Here are the connect commands, which you can also encapsulate in a Bash wrapper script:
IP=188.8.131.52 # use an IP address here, not a hostname FPFILE=~/.ssh/aws-backup-server.fingerprint test -e "$FPFILE" && perl -pi -e "s/^\S+ /$IP /" "$FPFILE" ssh -o StrictHostKeyChecking=ask -o UserKnownHostsFile="$FPFILE" root@$IP
Note that the FPFILE is not required to exist on the first SSH connect. The first time you connect to the server, the FPFILE will be created when you accept the SSH warning. Further connects will not show an SSH warning or ask you to accept the fingerprint again.