Understanding SSH known_hosts File

Table of Contents

The known_hosts file contains a list of public keys for all the hosts to which the user has connected with ssh. It is used for verifying the identity of other systems.

Ssh can automatically add keys to the user’s file, but they can be added manually as well.

In SSH, public key cryptography is used for authenticating computers and users. Host keys authenticate hosts. Authorized keys and identity keys authenticate users.

In OpenSSH, the collection of known host keys is stored in /etc/ssh/known_hosts and in .ssh/known_hosts in each user’s home directory.

when connecting to a host for the first time, ssh usually adds the remote host’s public key to the user’s known_hosts file.

Format of known_hosts file

The format is one public key or certificate per unbroken line. Each line contains a hostname, number of bits, exponent, and modulus.

At the beginning of the line is either the hostname or a hash representing the hostname.

It is possible to use a comma-separated list of hosts in the hostname field if a host has multiple names or if the same key is used on multiple machines in a server pool.

Here are 3 examples for hosts with IPs: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXN









VZIaLpptPkkVBPkPhPob8rPH0dMctpYvZSQVRIFzZvezw== ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAy




What is the purpose of known_hosts file

This file is local to the user account and contains the known keys for remote hosts. Often these are collected from the hosts when connecting for the first time.

As with those keys stored in the file, ~/.ssh/known_hosts, these keys are used to verify the identity of the remote host,

thus protecting against impersonation or man-in-the-middle attacks.

With each subsequent connection the key will be compared to the key provided by the remote server.

If there is a match, the connection will proceed. If the match fails, ssh(1) will fail with an error message.

If there is no key at all listed for that remote host, then the key’s fingerprint will be displayed and there will be the option to automatically add the key to the file.

This file can be created and edited manually, but if it does not exist it will be created automatically by ssh(1) when it first connects to a remote host.

Add public key to known_hosts manually

We can use ssh-keygen  with -F option to search known_hosts file.

$ ssh-keygen -F server3.example.com

The default file to be searched will be ~/.ssh/known_hosts and the key is printed if found. A different file can be searched using the -f option.

If a key must be removed from the file, the -R option works similarly to search by host and then remove it if found even if the host name is hashed.

$ ssh-keygen -R server4.example.com -f ~/.ssh/known_hosts

When a key is removed, it will then be appended to the file ~/.ssh/known_hosts.old in case it is needed later.

If a non-default file is used with either -F or -R then the name including the path must be specified using -f. But -f is optional if the default file is intended.


Table of Contents

Share on facebook
Share on twitter
Share on linkedin

You might also like