known_hosts File
What is known_hosts File?
known_hosts FileAn OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack.
The known_hosts file implements trust-on-first-use (TOFU) for SSH server identities. On the first connection to a host, the user is asked to verify and accept its public-key fingerprint; OpenSSH then records the host and key in known_hosts (system-wide /etc/ssh/ssh_known_hosts also exists). On later connections, OpenSSH compares the offered key against this record and refuses to connect when it differs, warning of a possible MITM. Hashing is enabled by default (HashKnownHosts yes) so disclosing the file does not leak the list of visited hosts. Stronger options include CA-signed host certificates (TrustedUserCAKeys / @cert-authority), DNS-based SSHFP records signed with DNSSEC (RFC 4255), and rejecting any prompt with StrictHostKeyChecking=yes for production access.
● Examples
- 01
OpenSSH warning 'REMOTE HOST IDENTIFICATION HAS CHANGED!' when the host's key in known_hosts no longer matches.
- 02
Using SSH certificates with @cert-authority entries so hundreds of servers do not need to appear individually in known_hosts.
● Frequently asked questions
What is known_hosts File?
An OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack. It belongs to the Network Security category of cybersecurity.
What does known_hosts File mean?
An OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack.
How do you defend against known_hosts File?
Defences for known_hosts File typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for known_hosts File?
Common alternative names include: ~/.ssh/known_hosts, host-key TOFU.