diff --git a/ssh/example_test.go b/ssh/example_test.go
@@ -5,12 +5,16 @@
 package ssh_test
 
 import (
+	"bufio"
 	"bytes"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
 
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/terminal"
@@ -90,8 +94,6 @@ func ExampleNewServerConn() {
 	// The incoming Request channel must be serviced.
 	go ssh.DiscardRequests(reqs)
 
-	// Service the incoming Channel channel.
-
 	// Service the incoming Channel channel.
 	for newChannel := range chans {
 		// Channels have a type, depending on the application level
@@ -131,16 +133,59 @@ func ExampleNewServerConn() {
 	}
 }
 
+func ExampleHostKeyCheck() {
+	// Every client must provide a host key check.  Here is a
+	// simple-minded parse of OpenSSH's known_hosts file
+	host := "hostname"
+	file, err := os.Open(filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts"))
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	var hostKey ssh.PublicKey
+	for scanner.Scan() {
+		fields := strings.Split(scanner.Text(), " ")
+		if len(fields) != 3 {
+			continue
+		}
+		if strings.Contains(fields[0], host) {
+			var err error
+			hostKey, _, _, _, err = ssh.ParseAuthorizedKey(scanner.Bytes())
+			if err != nil {
+				log.Fatalf("error parsing %q: %v", fields[2], err)
+			}
+			break
+		}
+	}
+
+	if hostKey == nil {
+		log.Fatalf("no hostkey for %s", host)
+	}
+
+	config := ssh.ClientConfig{
+		User:            os.Getenv("USER"),
+		HostKeyCallback: ssh.FixedHostKey(hostKey),
+	}
+
+	_, err = ssh.Dial("tcp", host+":22", &config)
+	log.Println(err)
+}
+
 func ExampleDial() {
+	var hostKey ssh.PublicKey
 	// An SSH client is represented with a ClientConn.
 	//
 	// To authenticate with the remote server you must pass at least one
-	// implementation of AuthMethod via the Auth field in ClientConfig.
+	// implementation of AuthMethod via the Auth field in ClientConfig,
+	// and provide a HostKeyCallback.
 	config := &ssh.ClientConfig{
 		User: "username",
 		Auth: []ssh.AuthMethod{
 			ssh.Password("yourpassword"),
 		},
+		HostKeyCallback: ssh.FixedHostKey(hostKey),
 	}
 	client, err := ssh.Dial("tcp", "yourserver.com:22", config)
 	if err != nil {
@@ -166,6 +211,7 @@ func ExampleDial() {
 }
 
 func ExamplePublicKeys() {
+	var hostKey ssh.PublicKey
 	// A public key may be used to authenticate against the remote
 	// server by using an unencrypted PEM-encoded private key file.
 	//
@@ -188,6 +234,7 @@ func ExamplePublicKeys() {
 			// Use the PublicKeys method for remote authentication.
 			ssh.PublicKeys(signer),
 		},
+		HostKeyCallback: ssh.FixedHostKey(hostKey),
 	}
 
 	// Connect to the remote server and perform the SSH handshake.
@@ -199,11 +246,13 @@ func ExamplePublicKeys() {
 }
 
 func ExampleClient_Listen() {
+	var hostKey ssh.PublicKey
 	config := &ssh.ClientConfig{
 		User: "username",
 		Auth: []ssh.AuthMethod{
 			ssh.Password("password"),
 		},
+		HostKeyCallback: ssh.FixedHostKey(hostKey),
 	}
 	// Dial your ssh server.
 	conn, err := ssh.Dial("tcp", "localhost:22", config)
@@ -226,12 +275,14 @@ func ExampleClient_Listen() {
 }
 
 func ExampleSession_RequestPty() {
+	var hostKey ssh.PublicKey
 	// Create client config
 	config := &ssh.ClientConfig{
 		User: "username",
 		Auth: []ssh.AuthMethod{
 			ssh.Password("password"),
 		},
+		HostKeyCallback: ssh.FixedHostKey(hostKey),
 	}
 	// Connect to ssh server
 	conn, err := ssh.Dial("tcp", "localhost:22", config)

diff --git a/ssh/handshake.go b/ssh/handshake.go
@@ -74,7 +74,7 @@ type handshakeTransport struct {
 	startKex chan *pendingKex
 
 	// data for host key checking
-	hostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
+	hostKeyCallback HostKeyCallback
 	dialAddress     string
 	remoteAddr      net.Addr
 
@@ -614,11 +614,9 @@ func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *
 		return nil, err
 	}
 
-	if t.hostKeyCallback != nil {
-		err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
-		if err != nil {
-			return nil, err
-		}
+	err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
+	if err != nil {
+		return nil, err
 	}
 
 	return result, nil

diff --git a/ssh/handshake_test.go b/ssh/handshake_test.go
@@ -436,6 +436,7 @@ func testHandshakeErrorHandlingN(t *testing.T, readLimit, writeLimit int, couple
 	clientConf.SetDefaults()
 	clientConn := newHandshakeTransport(&errorKeyingTransport{b, -1, -1}, &clientConf, []byte{'a'}, []byte{'b'})
 	clientConn.hostKeyAlgorithms = []string{key.PublicKey().Type()}
+	clientConn.hostKeyCallback = InsecureIgnoreHostKey()
 	go clientConn.readLoop()
 	go clientConn.kexLoop()
 

diff --git a/ssh/session_test.go b/ssh/session_test.go
@@ -59,7 +59,8 @@ func dial(handler serverType, t *testing.T) *Client {
 	}()
 
 	config := &ClientConfig{
-		User: "testuser",
+		User:            "testuser",
+		HostKeyCallback: InsecureIgnoreHostKey(),
 	}
 
 	conn, chans, reqs, err := NewClientConn(c2, "", config)
@@ -641,7 +642,8 @@ func TestSessionID(t *testing.T) {
 	}
 	serverConf.AddHostKey(testSigners["ecdsa"])
 	clientConf := &ClientConfig{
-		User: "user",
+		HostKeyCallback: InsecureIgnoreHostKey(),
+		User:            "user",
 	}
 
 	go func() {
@@ -747,7 +749,9 @@ func TestHostKeyAlgorithms(t *testing.T) {
 
 	// By default, we get the preferred algorithm, which is ECDSA 256.
 
-	clientConf := &ClientConfig{}
+	clientConf := &ClientConfig{
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
 	connect(clientConf, KeyAlgoECDSA256)
 
 	// Client asks for RSA explicitly.

diff --git a/ssh/test/cert_test.go b/ssh/test/cert_test.go
@@ -36,7 +36,8 @@ func TestCertLogin(t *testing.T) {
 	}
 
 	conf := &ssh.ClientConfig{
-		User: username(),
+		User:            username(),
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 	conf.Auth = append(conf.Auth, ssh.PublicKeys(certSigner))
 	client, err := s.TryDial(conf)