diff --git a/cli/src/__tests__/shared-common-logging-utils.test.ts b/cli/src/__tests__/shared-common-logging-utils.test.ts
index 6102c704..a51fc648 100644
--- a/cli/src/__tests__/shared-common-logging-utils.test.ts
+++ b/cli/src/__tests__/shared-common-logging-utils.test.ts
@@ -667,9 +667,9 @@ describe("SSH_OPTS defaults", () => {
     expect(result.stdout.length).toBeGreaterThan(0);
   });
 
-  it("should disable strict host key checking", () => {
+  it("should use accept-new for strict host key checking (TOFU)", () => {
     const result = runBash('echo "$SSH_OPTS"');
-    expect(result.stdout).toContain("StrictHostKeyChecking=no");
+    expect(result.stdout).toContain("StrictHostKeyChecking=accept-new");
   });
 
   it("should use /dev/null for known hosts file", () => {
diff --git a/shared/common.sh b/shared/common.sh
index b602d945..923926d9 100644
--- a/shared/common.sh
+++ b/shared/common.sh
@@ -960,7 +960,7 @@ register_cleanup_trap() {
 # Default SSH options for all cloud providers
 # Clouds can override this if they need provider-specific settings
 if [[ -z "${SSH_OPTS:-}" ]]; then
-    SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -i ${HOME}/.ssh/id_ed25519"
+    SSH_OPTS="-o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -i ${HOME}/.ssh/id_ed25519"
 fi
 
 # ============================================================
@@ -1939,7 +1939,7 @@ upload_config_file() {
 
     printf '%s\n' "${content}" > "${temp_file}"
 
-    local temp_remote="/tmp/spawn_config_$$_$(basename "${remote_path}")"
+    local temp_remote="/tmp/spawn_config_${RANDOM}_${RANDOM}_$(basename "${remote_path}")"
     ${upload_callback} "${temp_file}" "${temp_remote}"
     ${run_callback} "mv ${temp_remote} ${remote_path}"
 }