Bootstrap FreeKB - SSH - Understanding Known Hosts
SSH - Understanding Known Hosts
Updated:   |  SSH articles

In this example, on a Linux system, there is an attempt to connect to server1.example.com as John Doe using the ssh command.

ssh john.doe@server1.example.com

 

During the SSH handshake between the SSH client and SSH server, the known host file is checked for the SSH servers SSH key.

If the SSH server is at SSH version 2 (common), the following files are checked for the SSH servers SSH key.

  • /etc/ssh/ssh_known_hosts2 (global, for all users)
  • /home/username/.ssh/known_hosts2 

If the SSH server is at SSH version 1 (uncommon), the following files are checked for the SSH servers SSH key.

  • /etc/ssh/ssh_known_hosts (global, for all users)
  • /home/username/.ssh/known_hosts

In this example, if the SSH key of server1.example.com is not found in the the known hosts files, the following prompt will appear.

The authenticity of host 'server1.example.com (10.17.144.15)' can't be established.
ECDSA key fingerprint is SHA256:EhOaUIB4XtKLyqv4aTBAaAHRC6pF4nyn4ReYO6CHg78.
ECDSA key fingerprint is MD5:a9:15:ba:3b:80:ba:93:83:b1:02:26:4e:43:a7:62:e4.
Are you sure you want to continue connecting (yes/no)?

 

Typing no should return the following.

Host key verification failed

 

Entering yes will tell the SSH server to send it's SSH key to the client requesting the SSH connection. For example, if the SSH server is an Linux system using OpenSSH, the OpenSSH system would most likely have the following public certificates which would be sent to the client system requesting the SSH connection and one of the public certificates will be appended to the known hosts file on the client system.

/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key.pub

 

And the following prompt will appear.

Warning: Permanently added 'server1.example.com,10.17.144.15' (ECDSA) to the list of known hosts.

 

The known hosts file will now contain something like this.

server1.example.com,10.17.144.15 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEpS1hzV7N7aij+oztBlkEhbC60Pz2Hfq5+cee5mlr3QWQK9OdaOcZA8TnhlIYDvYv/FIBk4WfZJDw2YxvtepV8=

 

Or, the ssh-keyscan command can be used to append an SSH servers SSH key to your known hosts file.

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 8b4dbe in the box below so that we can be sure you are a human.