BestHub
Sign in
Information Security 8 min read

Mastering the SSH known_hosts File to Prevent Man‑in‑the‑Middle Attacks

The article explains the purpose of the SSH known_hosts file, how it stores remote host public keys to prevent man‑in‑the‑middle attacks, and provides step‑by‑step commands for adding, updating, bypassing, and removing entries, as well as tips for managing multiple users and retrieving host details.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Mastering the SSH known_hosts File to Prevent Man‑in‑the‑Middle Attacks

What is the known_hosts file?

The known_hosts file resides in ~/.ssh and stores the public keys of remote hosts you have connected to. By remembering these keys, SSH can verify that you are connecting to the same server, protecting against man‑in‑the‑middle attacks.

Adding a new host

When you SSH to a server for the first time, you see a prompt like:

The authenticity of host '194.195.118.85 (194.195.118.85)' can't be established.
ED25519 key fingerprint is SHA256:wF2qILJg7VbqEE4/... 
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Typing yes appends the server’s public key to known_hosts.

Handling key changes

If a server’s host key changes, SSH warns you with a message similar to:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for xyz remote host has changed, ...
Offending key in /home/.ssh/known_hosts:1

In this case you should verify the change with the server administrator before accepting the new key.

Managing multiple authenticated users

To avoid interactive host‑key prompts for automation tools (e.g., Ansible), you have three options:

Manually copy the server’s public key into each user’s known_hosts file.

Use the SSH option -o StrictHostKeyChecking=no (not recommended for production).

Maintain a global /etc/ssh/ssh_known_hosts file and populate it with ssh-keyscan:

ssh-keyscan -H -t rsa 'your-server-ip' >> /etc/ssh/ssh_known_hosts

Example of using StrictHostKeyChecking=no is shown in the accompanying diagram.

Retrieving host information from known_hosts

Linux typically enables HashKnownHosts yes, which stores entries as hashes, making them unreadable in plain text. You can still query a specific host’s fingerprint with: ssh-keygen -l -F <server-IP-or-hostname> Listing all entries in clear text is not possible without disabling hashing.

Removing stale entries

When a host’s key changes permanently, remove the old entry before reconnecting: ssh-keygen -R <server-hostname-or-ip> Alternatively, you can edit ~/.ssh/known_hosts manually, but the command above is safer and easier.

Key takeaways

Understanding and correctly managing the known_hosts file is essential for SSH security. It prevents man‑in‑the‑middle attacks, helps automate deployments, and ensures that host key changes are handled safely.

StrictHostKeyChecking example
StrictHostKeyChecking example
Man-in-the-middle prevention diagram
Man-in-the-middle prevention diagram
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxSSHknown_hostshost key verification
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment