I come accross StrictHostKeyChecking configuration when I needed to setup sftp communication between two servers (e.g. Windows Server ---> Linux Server). As defined here (use find for string match "StrictHostKeyChecking"):
If this flag is set to “yes”, ssh will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This option forces the user to manually add all new hosts. If this flag is set to “no”, ssh will automatically add new host keys to the user known hosts files.
I want to use PSFTP.EXE to transfer files to the Unix server from Windows machine and there is obviously no concept of ~/.ssh/known_hosts. My question is then...what is the equivalent for StrictHostKeyChecking for PSFTP.EXE. Is it simple -batch which avoids interactive prompts ?
By default all PuTTY tools (including psftp) behave as StrictHostKeyChecking=ask.
With -batch, psftp (and pscp and plink) behave as StrictHostKeyChecking=yes.
If you use this switch and psftp finds that server's host key has changed you will get:
WARNING - POTENTIAL SECURITY BREACH! The server's host key does not match the one PuTTY has cached in the registry. This means that either the server administrator has changed the host key, or you have actually connected to another computer pretending to be the server.
The new ... key fingerprint is:
...
Connection abandoned.
While without the switch (the default behavior), you will get an interactive prompt.
Likewise for the host key of a new server.
The psftp (nor any other PuTTY tool) never behaves as StrictHostKeyChecking=no. Unless you use some ugly and insecure hacks like here: How to pass echo y to plink.exe for first connection.
Obviously the -batch affects all other prompts too, not just host key prompts (comparing with StrictHostKeyChecking). There are these prompts in psftp (pscp and plink):
-batch)-batch when log file already exists and Ask user every time option is enabled for What to do if the log file already exists)