Known hosts & SSH is always a pain, but just turning it off never seems like a good idea (even if it has probably never failed for the right reason).
In the past, we have used ssh-keyscan when setting up a Jenkins instance, but another option is to set the host key verification configuration to “Accept first connection”:
Automatically adds host keys to the
known_hostsfile if the host has not been seen before, and does not allow connections to previously-seen hosts with modified keys.
This is what most people do locally, when prompted.
Our shiny new Jenkins instance is supposed to only be configured by CasC though, and I couldn’t work out what the yaml would look like (the plugin docs have since been updated).
It turns out that there is a very handy “view configuration” button:
allowing you to make changes in the UI, and then check the generated config:
Look on my works, ye Mighty, and despair! 