Skip to content
Latchkey

ssh -o UserKnownHostsFile: Point at a known_hosts

UserKnownHostsFile tells ssh which file holds trusted host keys, overriding the default ~/.ssh/known_hosts.

On ephemeral runners you often build a known_hosts file in the workspace rather than the home directory. UserKnownHostsFile lets ssh use it without touching $HOME.

What it does

UserKnownHostsFile sets the path (or paths) ssh consults for trusted host keys and where it records new ones under accept-new. It pairs with GlobalKnownHostsFile, which is the system-wide list. Setting it to /dev/null disables persistence entirely.

Common usage

Terminal
# build a known_hosts in the workspace, then use it
ssh-keyscan host > ./known_hosts
ssh -o UserKnownHostsFile=./known_hosts user@host
# combine with strict checking for a verified, unattended deploy
ssh -o UserKnownHostsFile=./known_hosts \
    -o StrictHostKeyChecking=yes user@host

Options

OptionWhat it does
-o UserKnownHostsFile=<path>File ssh reads/writes for host keys
-o UserKnownHostsFile=/dev/nullNo persistence (pair with StrictHostKeyChecking=no)
-o GlobalKnownHostsFile=<path>System-wide host key file
-o StrictHostKeyChecking=yesRequire the key to already be in the file

In CI

Pre-populate the file with ssh-keyscan and set StrictHostKeyChecking=yes against it for a fully verified, non-interactive deploy. Using /dev/null disables verification, so only combine it with StrictHostKeyChecking=no for throwaway connections.

Common errors in CI

Host key verification failed. with a custom file usually means the file is empty or the keyscan ran against the wrong port or hostname. "Permission denied" writing to the file means an unwritable workspace path; point at a writable directory. A stale entry triggers "REMOTE HOST IDENTIFICATION HAS CHANGED"; clear it with ssh-keygen -R -f ./known_hosts host.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →