Known hosts

A secure network client needs to make sure that the remote host is exactly the host that it thinks it is communicating with. With TLS based protocols, it is done by the client verifying the server's certificate.

With SSH protocols there are no server certificates, but instead each server can provide its unique key. Unlike TLS, SSH has no certificate authorities or anything so the client simply has to make sure that the host's key matches what it already knows (via other means) it should look like.

The matching of keys is typically done using hashes of the key and the file that the client stores the hashes for known servers is often called known_hosts and is put in a dedicated SSH directory. On Linux systems that is usually called ~/.ssh.

When curl connects to a SFTP and SCP host, it makes sure that the host's key hash is already present in the known hosts file or it denies continued operation because it cannot trust that the server is the right one. Once the correct hash exists in known_hosts curl can perform transfers.

To force curl to skip checking and obeying to the known_hosts file, you can use the -k / --insecure command-line option. You must use this option with extreme care since it makes it possible for man-in-the-middle attacks not to be detected.