known_hosts File
What is known_hosts File?
known_hosts FileAn OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack.
The known_hosts file implements trust-on-first-use (TOFU) for SSH server identities. On the first connection to a host, the user is asked to verify and accept its public-key fingerprint; OpenSSH then records the host and key in known_hosts (system-wide /etc/ssh/ssh_known_hosts also exists). On later connections, OpenSSH compares the offered key against this record and refuses to connect when it differs, warning of a possible MITM. Hashing is enabled by default (HashKnownHosts yes) so disclosing the file does not leak the list of visited hosts. Stronger options include CA-signed host certificates (TrustedUserCAKeys / @cert-authority), DNS-based SSHFP records signed with DNSSEC (RFC 4255), and rejecting any prompt with StrictHostKeyChecking=yes for production access.
● Examples
- 01
OpenSSH warning 'REMOTE HOST IDENTIFICATION HAS CHANGED!' when the host's key in known_hosts no longer matches.
- 02
Using SSH certificates with @cert-authority entries so hundreds of servers do not need to appear individually in known_hosts.
● Frequently asked questions
What is known_hosts File?
An OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack. It belongs to the Network Security category of cybersecurity.
What does known_hosts File mean?
An OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack.
How does known_hosts File work?
The known_hosts file implements trust-on-first-use (TOFU) for SSH server identities. On the first connection to a host, the user is asked to verify and accept its public-key fingerprint; OpenSSH then records the host and key in known_hosts (system-wide /etc/ssh/ssh_known_hosts also exists). On later connections, OpenSSH compares the offered key against this record and refuses to connect when it differs, warning of a possible MITM. Hashing is enabled by default (HashKnownHosts yes) so disclosing the file does not leak the list of visited hosts. Stronger options include CA-signed host certificates (TrustedUserCAKeys / @cert-authority), DNS-based SSHFP records signed with DNSSEC (RFC 4255), and rejecting any prompt with StrictHostKeyChecking=yes for production access.
How do you defend against known_hosts File?
Defences for known_hosts File typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for known_hosts File?
Common alternative names include: ~/.ssh/known_hosts, host-key TOFU.
● Related terms
- network-security№ 1089
SSH Key Types
The asymmetric key algorithms accepted by OpenSSH for user and host authentication: RSA, ECDSA (NIST curves), and the modern default Ed25519.
- network-security№ 1088
SSH Agent Forwarding
An OpenSSH feature, enabled with -A or ForwardAgent yes, that exposes a UNIX socket on a remote host so commands there can use the local SSH agent to authenticate further hops.
- network-security№ 345
DNSSEC
A set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records.
- network-security№ 1087
SSH
A cryptographic network protocol (RFC 4251, port 22) that provides authenticated, encrypted, and integrity-protected remote login, command execution, and tunneling over an untrusted network.