Understanding and Managing SSH known_hosts to Prevent MITM Attacks

What is the SSH known_hosts file?

The known_hosts file resides in a user's .ssh directory and stores the public keys of remote servers that the client has connected to. By keeping a record of these keys, SSH can verify that a server is the same one it previously trusted, protecting against man‑in‑the‑middle (MITM) attacks.

Adding a new host

When you SSH to a server for the first time, the client prompts you to confirm the server’s authenticity. If you answer yes, the server’s public key is appended to known_hosts and future connections will be verified automatically.

The authenticity of host '194.195.118.85 (194.195.118.85)' can't be established.</code>
<code>ED25519 key fingerprint is SHA256:wF2qILJg7VbqEE4/zWmyMTSwy3ja7be1jTIg3WzmpeE.</code>
<code>This key is not known by any other names</code>
<code>Are you sure you want to continue connecting (yes/no/[fingerprint])?

Detecting host‑key changes and MITM warnings

If a server’s host key changes, SSH warns you with a message similar to the following, indicating a possible DNS spoofing or MITM attack. In such cases you should verify the change with the server administrator before accepting the new key.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@</code>
<code>@ WARNING: POSSIBLE DNS SPOOFING DETECTED!</code>
<code>The RSA host key for xyz remote host has changed, and the key for the corresponding IP address xxx.yy.xxx.yy is unknown.</code>
<code>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!</code>
<code>Someone could be eavesdropping on you right now (man‑in‑the‑middle attack)!</code>
<code>Add correct host key in /home/.ssh/known_hosts to get rid of this message.</code>
<code>Offending key in /home/.ssh/known_hosts:1

Managing multiple users and bypassing the host‑key prompt

When automating SSH connections (e.g., with Ansible), you may want to suppress the interactive prompt. Three common approaches are:

Manually copy the server’s public key into each user’s known_hosts file.

Use the SSH option -o StrictHostKeyChecking=no (not recommended for production).

Maintain a global ssh_known_hosts file and distribute it to all clients, populating it with ssh-keyscan output.

ssh-keyscan -H -t rsa 'your-server-ip' >> /etc/ssh/ssh_known_hosts

Below is an illustration of the StrictHostKeyChecking=no option:

Retrieving host information from known_hosts

Because most Linux distributions enable HashKnownHosts yes, the entries in known_hosts are stored as hashes, making them unreadable to humans. You can still query a specific host’s fingerprint with: ssh-keygen -l -F <server-IP-or-hostname> Listing all entries in plain text is not possible without disabling hashing or using specialized tools.

Removing stale entries

To delete a specific host’s record, use ssh-keygen -R with the hostname or IP address. This removes the offending line from known_hosts automatically. ssh-keygen -R <server-hostname-or-ip> Alternatively, you can edit the file manually, but the command is safer and less error‑prone.

Understanding SSH configuration files, especially known_hosts, is essential for maintaining system security and reliable remote access.