Why the SSH known_hosts File Is Crucial for Security and How to Manage It

If you frequently use Linux and SSH to connect to remote servers, you will find a .ssh directory in your home folder containing files such as id_rsa, id_rsa.pub, config, and the focus of this article, known_hosts.

What is the SSH known_hosts file?

The known_hosts file stores the public keys of remote hosts you have connected to. By saving these keys locally, SSH can verify that you are connecting to the legitimate server and helps prevent man‑in‑the‑middle attacks.

First connection prompt

When you SSH to a new server, you will see a prompt like:

The authenticity of host '194.195.118.85 (194.195.118.85)' can't be established.
ED25519 key fingerprint is SHA256:wF2qILJg7VbqEE4/zWmyMTSwy3ja7be1jTIg3WzmpeE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Choosing yes adds the server’s key to your known_hosts file.

Avoiding man‑in‑the‑middle attacks

If a server’s host key changes, SSH warns you with messages such as:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for xyz remote host has changed, and the key for the corresponding IP address xxx.yy.xxx.yy is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man‑in‑the‑middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
69:4e:bb:70:6a:64:e3:78:07:6f:b4:00:41:07:d8:9c.
Please contact your system administrator.
Add correct host key in /home/.ssh/known_hosts to get rid of this message.
Offending key in /home/.ssh/known_hosts:1
Keyboard‑interactive authentication is disabled to avoid man‑in‑the‑middle attacks.

In such cases, verify the new key with the server administrator before accepting it.

Managing multiple authenticated users

When several users need to connect without interactive host‑key prompts (e.g., when using Ansible), you can choose one of three methods:

Manually append the server’s public key to each user’s known_hosts file.

Use the SSH option -o StrictHostKeyChecking=no (not recommended for production).

Maintain a global ssh_known_hosts file and distribute it to clients with ssh-keyscan:

ssh-keyscan -H -t rsa 'your-server-ip' >> /etc/ssh/ssh_known_hosts

Below is an illustration of using the StrictHostKeyChecking=no option:

Extracting host details from known_hosts

Most Linux systems enable HashKnownHosts yes, which stores host entries as hashes, making them unreadable in plain text. Example output of cat .ssh/known_hosts:

$ cat .ssh/known_hosts
|1|yWIW17YIg0wBRXJ8Ktt4mcfBqsk=|cFHOrZ8VEx0vdOjau2XQr/K7B/c= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR293PJnDCj59XxfqYGctrMo60ZU5IOjACZZNRp9D6f
|1|Ta7hoH/az4O3l2dwfaKh8O2jitI=|WGU5TKhMA+2og1qMKE6kmynFNYo= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmrxLW436AyBGyGCggl/j2qBCr782AVIvbiTEsWNBWLcWMKYAQpTdAXnaV4bBRqnk2NJg/60XDHKC2DF1tzx6ABWN/R6vcUAbulI9H1RUWpJ1AiDmFL84MvW2UukbpN5a6Lr+DvjclVqPxJRjQKr6Vy2K9oJgGKnHVcWSIHeAlW49kCCg5fIxF8stBTqJg0cRk6uxmcYVud1vh9a7SaZGK+jFZTB75RiHAVFuitHWpljecMxJRNYy/EhmmXrrvyU8pObVXlWlDd61uwExi4uEwNSY+Do7vR1y8svnt9mjTzzyM6MhT4sOcxWmNgdmw7bU/wPpie3dSjZMQeu2mQCSM7SG28dwjSyFPpanRsZKzkh0okAaCSItoNwl6zOf6dE3zt0s5EI6BPolhFAbT3NqmXRblxb7eV8rGEPf14iguHUkg6ZQr2OUdfeN1FYNMJ8Gb9RD159Mwjl4/jPIBdnXvt7zYct3XhPKm7Wxv4K/RWZE837C7mGQh2KEahWajdq8=

You can query a specific host with: ssh-keygen -l -F <server-IP-or-hostname> Listing all entries in plain text is not possible because of hashing, though specialized tools exist for that purpose.

Removing entries from known_hosts

To delete a specific host entry, use: ssh-keygen -R <server-hostname-or-ip> Alternatively, you can manually edit the file, but the command is far more convenient.

Understanding SSH configuration files, especially known_hosts, is essential for maintaining system security.