I like the idea of the "StrictHostKeyChecking accept-new" option but when I tried to check that it works correctly, I got confused. How do I pretend that the host key has changed? I thought it would be enough to change the corresponding key in .ssh/known_hosts, but this just causes a new entry to be added with the same HostKeyAlias:

    # first I deleted the key from .ssh/known_hosts
    $ grep TH1LmIM .ssh/known_hosts   
    [1]$ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o HostKeyAlias=foo ofb.net echo hi
    Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the list of known hosts.
    hi
    $ tail -n 1 .ssh/known_hosts
    foo,104.197.242.163 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM=
    $ sed -i 's/TH1LmIM/TH1LmKM/g' .ssh/known_hosts  # simulate changed host key?
    $ tail -n 1 .ssh/known_hosts
    foo,104.197.242.163 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM=
    $ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o HostKeyAlias=foo ofb.net echo hi
    Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the list of known hosts.
    hi
    $ tail -n 2 .ssh/known_hosts
    foo,104.197.242.163 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM=
    foo,104.197.242.163 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM=

So at the end I have two entries for "foo", with different host keys (one ends with "mKM=", the other ends with "mIM="). And OpenSSH seems to be happy with that. What am I missing?