What is use of config.put("StrictHostKeyChecking", "no") in JSch

king Ramesh picture king Ramesh · Jul 21, 2014 · Viewed 23.2k times · Source
java.util.Properties config = new java.util.Properties();            
config.put("StrictHostKeyChecking", "no");
session.setConfig(config);

In above code why we need to set StrictHostKeyChecking value as no while connection to SFTP through JSch API?

Answer

Martin Prikryl picture Martin Prikryl · Jul 21, 2014

You should NOT set it actually. You lose much of the SSH/SFTP security by doing to.

The option tells the JSch SSH/SFTP library not to verify public key of the SSH/SFTP server. You are vulnerable to man-in-the-middle attacks, if you do not verify the public key. Of course, unless you are connecting within a private trusted network (so you do not care for security/encryption).

Read about SSH/SFTP host keys:
https://winscp.net/eng/docs/ssh_verifying_the_host_key