On Wed, Nov 13, 2013 at 7:29 PM, Przemek Klosowski <przemek.klosowski@nist.gov> wrote:
On 11/12/2013 07:47 AM, Miroslav Suchý wrote:

2) if you know that some machines change fingerprint and you *trust it* you can do:

~/.ssh/config:
Host 192.168.1.1
    UserKnownHostsFile /dev/null

It always bugged me that the choice was to either disable or manually edit an obscure file, so I was happy to find that you can delete stale entries from commandline:

ssh-keygen -R hostname

Admittedly, this is pretty obscure and I think it would be a better idea if SSH directly allowed an override, perhaps like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 23:00:21:33:d4:0f:95:f1:eb:34:b2:57:cf:3f:2c:e7. If you think it's safe to override this check, you can connect this time [o] or delete the current host key before connecting [O]:

Yes! This kind of solution would be awesome, any admin who encounters this more than two times per week (as I do) would love to have an override. I know where I'm connecting to, and if it is a server then it should NEVER change, but I'm also connecting to OpenWrt based devices (internet of things and similar devices) who get updated firmwares every so ofter, and upon booting up first time with new firmware generate new ssh keys.

I would love to see this, or at least if somebody knows how can I setup this for myself, this would make me switch back to Fedora as my main admin machine...