ssh -o UserKnownHostsFile: Point at a known_hosts
UserKnownHostsFile tells ssh which file holds trusted host keys, overriding the default ~/.ssh/known_hosts.
On ephemeral runners you often build a known_hosts file in the workspace rather than the home directory. UserKnownHostsFile lets ssh use it without touching $HOME.
What it does
UserKnownHostsFile sets the path (or paths) ssh consults for trusted host keys and where it records new ones under accept-new. It pairs with GlobalKnownHostsFile, which is the system-wide list. Setting it to /dev/null disables persistence entirely.
Common usage
# build a known_hosts in the workspace, then use it
ssh-keyscan host > ./known_hosts
ssh -o UserKnownHostsFile=./known_hosts user@host
# combine with strict checking for a verified, unattended deploy
ssh -o UserKnownHostsFile=./known_hosts \
-o StrictHostKeyChecking=yes user@hostOptions
| Option | What it does |
|---|---|
| -o UserKnownHostsFile=<path> | File ssh reads/writes for host keys |
| -o UserKnownHostsFile=/dev/null | No persistence (pair with StrictHostKeyChecking=no) |
| -o GlobalKnownHostsFile=<path> | System-wide host key file |
| -o StrictHostKeyChecking=yes | Require the key to already be in the file |
In CI
Pre-populate the file with ssh-keyscan and set StrictHostKeyChecking=yes against it for a fully verified, non-interactive deploy. Using /dev/null disables verification, so only combine it with StrictHostKeyChecking=no for throwaway connections.
Common errors in CI
Host key verification failed. with a custom file usually means the file is empty or the keyscan ran against the wrong port or hostname. "Permission denied" writing to the file means an unwritable workspace path; point at a writable directory. A stale entry triggers "REMOTE HOST IDENTIFICATION HAS CHANGED"; clear it with ssh-keygen -R -f ./known_hosts host.