Setting the host key verification strategy to accept first connection has the undocumented side effect of forcing HashKnownHosts=yes on the SSH command line. Please either make this a seperate configuration option or remove it entirely so that this behavior can be controlled from ssh_config.

The HashKnownHosts option was introduced to OpenSSH back in 2005 but has never been the default behavior of OpenSSH because the amount of security it adds is minimal and being able to read the known_hosts file is useful. The choice to enable or disable this option should be left up to the user, which isn't possible if the plugin is forcing it on the SSH command line.

The hashing mechanism isn't really strong enough to prevent a brute force attack on modern hardware. If the DNS zone can be enumerated (AXFR, rDNS lookups, etc.,) then a dictionary can be created which renders the hashing nearly useless.