Mastering SSH known_hosts: Secure Connections and Key Management
This guide explains the purpose of the SSH known_hosts file, how it protects against man‑in‑the‑middle attacks, how to add, verify, or remove host keys, and practical methods for managing known_hosts across multiple users and systems.
If you frequently use Linux to SSH into remote servers, you’ll find a .ssh directory in your home folder containing files such as config, id_rsa, id_rsa.pub, and known_hosts. The known_hosts file stores the public keys of hosts you have connected to, ensuring you connect to legitimate servers and helping prevent man‑in‑the‑middle attacks.
What is the SSH known_hosts file?
The file records the public keys of remote hosts. When you SSH to a new server, the client asks whether to add the host’s key to known_hosts. Choosing “yes” stores the key locally for future connections.
Avoiding Man‑in‑the‑Middle Attacks
If a server’s key changes, SSH warns you with messages like:
The authenticity of host '194.195.118.85 (194.195.118.85)' can't be established.
ED25519 key fingerprint is SHA256:wF2qILJg7VbqEE4/zWmyMTSwy3ja7be1jTIg3WzmpeE.
Are you sure you want to continue connecting (yes/no/[fingerprint])?Accepting the new key without verification can expose you to MITM attacks. If a key change is legitimate (e.g., server reinstall), remove the old entry from known_hosts before reconnecting.
Managing Multiple Authenticated Users
When automating tools like Ansible, you may want to bypass the interactive host‑key prompt. Three approaches are:
Manually add the server’s public key to each user’s known_hosts file.
Use the SSH option -o StrictHostKeyChecking=no (not recommended).
Maintain a global ssh_known_hosts file and distribute it, adding keys with
ssh-keyscan -H -t rsa your-server-ip >> /etc/ssh/ssh_known_hosts.
The first method is the most labor‑intensive.
Extracting Remote System Details from known_hosts
Most Linux systems enable HashKnownHosts, storing entries as hashes, which obscures readable information. Example entry:
|1|yWIW17YIg0wBRXJ8Ktt4mcfBqsk=|cFHOrZ8VEx0vdOjau2XQr/K7B/c= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR293PJnDCj59XxfqYGctrMo60ZU5IOjACZZNRp9D6fTo retrieve a host’s fingerprint, use ssh-keygen -l -F <host-or-IP>. A full plaintext list of all hosts is not possible without specialized tools.
Removing Entries from known_hosts
To delete a specific host entry, run: ssh-keygen -R <server-hostname-or-ip> Alternatively, you can manually edit the file, but the command is far more convenient.
Understanding SSH configuration files, especially known_hosts, is essential for system security.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.