When running ssh with StrictHostKeyChecking=no, it should always accept CHANGED keys. However it does not in my case. This is documented in the man page (ssh-config):
StrictHostKeyChecking
If this flag is set to yes, ssh(1) will never automatically
add host keys to the ~/.ssh/known_hosts file, and refuses
to connect to hosts whose host key has changed. This
provides maximum protection against man-in-the-middle
(MITM) attacks, though it can be annoying when the
/etc/ssh/ssh_known_hosts file is poorly maintained or when
connections to new hosts are frequently made. This option
forces the user to manually add all new hosts.
If this flag is set to “accept-new” then ssh will
automatically add new host keys to the user's known_hosts
file, but will not permit connections to hosts with changed
host keys. If this flag is set to “no” or “off”, ssh will
automatically add new host keys to the user known hosts
files and allow connections to hosts with changed hostkeys
to proceed, subject to some restrictions. If this flag is
set to ask (the default), new host keys will be added to
the user known host files only after the user has confirmed
that is what they really want to do, and ssh will refuse to
connect to hosts whose host key has changed. The host keys
of known hosts will be verified automatically in all cases.
This section is relevant: If this flag is set to “no” or “off”, ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.
What are the mentioned restrictions?