SecurityIntermediate24 min read

What Is known_hosts? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

The known_hosts file is a list of digital fingerprints that your computer keeps for every remote server you connect to using SSH. When you connect to a server, your computer checks this file to make sure the server is the same one you connected to before. If the fingerprint doesn't match, you get a warning. This helps protect you from fake servers trying to steal your credentials.

Common Commands & Configuration

ssh-keygen -R server.example.com

Removes the host key for server.example.com from the known_hosts file. Useful when a server's key has been legitimately changed.

ssh-keyscan server.example.com >> ~/.ssh/known_hosts

Connects to server.example.com and retrieves its public host key, then appends it to the user's known_hosts file. Used to pre-populate known_keys.

ssh-keygen -F server.example.com

Finds and displays the entry for server.example.com in known_hosts, if it exists. Useful for checking whether a key is already stored.

ssh-keyscan -H server.example.com >> ~/.ssh/known_hosts

Same as above, but hashes the hostname so the actual hostname is not stored in plaintext. Increases privacy.

cat ~/.ssh/known_hosts

Displays the contents of the known_hosts file. Useful for manual inspection but be aware that hashed hostnames will not show the actual hostname.

Must Know for Exams

The known_hosts file is a consistent topic in several IT certification exams, though it is not always a major objective. It appears most prominently in the CompTIA Linux+ (XK0-005) exam, where it is part of Objective 2.4: Securing network services and connections. Candidates must understand SSH host key verification, the known_hosts file, and how to manage SSH keys. Questions may ask you to describe the purpose of known_hosts, interpret warning messages, or choose the correct command to remove a host key. In the CompTIA Security+ (SY0-601) exam, it falls under Objective 3.2: Given a scenario, implement secure network architecture concepts, specifically in the context of secure protocols (SSH) and the principle of trust but verify. Expect scenario-based questions where you must identify that a changed host key indicates a potential MITM attack.

For the Cisco CCNA (200-301), known_hosts is indirectly relevant when SSH is configured for device management. While CCNA focuses more on the IOS configuration of SSH (crypto key generate rsa, ip ssh version 2), you should know that the SSH client on a router or switch also maintains a known_hosts file if it is acting as an SSH client. However, it is a light supporting topic. In AWS Certified Solutions Architect exams, knowledge of SSH is essential for accessing EC2 instances, but the known_hosts file is typically assumed knowledge rather than a tested objective. Similarly, for Red Hat Certified System Administrator (RHCSA), you must know SSH key-based authentication and host key verification as part of managing network services.

Exam questions about known_hosts often appear as multiple-choice with scenarios. For example: "A system administrator receives the following error when trying to SSH into a server: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED. Which of the following files contains the stored host key that is causing this error?" The answer is 'known_hosts'. Another common question: "Which SSH configuration directive controls whether the SSH client will connect to a server whose host key is not in known_hosts?" Answer: 'StrictHostKeyChecking'. You may also see a question asking for the command to remove a host key from known_hosts: 'ssh-keygen -R hostname'. Or a question that tests your understanding of the difference between known_hosts and authorized_keys. For example, "Which file stores the public keys of users allowed to log into an account?" Answer: 'authorized_keys'. So you must not confuse these two files.

In troubleshooting scenarios, you might be told that an SSH connection suddenly fails with a host key mismatch, and you must determine whether to remove the old key or investigate a possible attack. Exams will test your judgment as well. Overall, while known_hosts is a small concept, it is testable, and knowing it well can earn you easy points.

Simple Meaning

Think of the known_hosts file like a contact list on your phone, but for servers you connect to using a secure protocol called SSH (Secure Shell). When you call a friend, your phone shows their name and picture so you know it's really them. In the same way, when your computer connects to a remote server for the first time, it saves a unique digital fingerprint of that server in the known_hosts file. The next time you connect, your computer checks that the server presents the same fingerprint it saved earlier. If it matches, you can trust the connection. If it doesn't, it means the server may have changed its key for a legitimate reason, like a security update, or something malicious could be happening, like a man-in-the-middle attack where an attacker intercepts your connection. The known_hosts file lives in your user account's home directory, usually at ~/.ssh/known_hosts. Each line in the file contains the server's hostname (or IP address), the key type (such as RSA or ECDSA), and the actual public key data. If you ever see a warning that says something like "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED," that means the fingerprint in known_hosts does not match what the server is now showing. You then have to decide whether to trust the new key or investigate further. For IT professionals, managing known_hosts files across many servers is a routine part of system administration. It is a simple but very important security mechanism that helps ensure the integrity of remote connections.

For example, imagine you work at a company and you frequently SSH into a central database server. The first time you connect, your computer saves the server's public key. One day, an attacker sets up a fake server with the same IP address. When you try to connect, your computer checks known_hosts and sees that the fake server's key does not match the saved key. You get an immediate warning, and you can abort the connection. Without known_hosts, you would have no way of knowing you were connecting to a malicious server, and the attacker could capture your login credentials or any data you transmit. That is why known_hosts is a foundational layer of trust in SSH communications.

Full Technical Definition

The known_hosts file is a critical component of the SSH (Secure Shell) protocol's host key verification mechanism, as defined in RFC 4251 (SSH Protocol Architecture) and RFC 4253 (SSH Transport Layer Protocol). When an SSH client initiates a connection to a remote server, the transport layer performs key exchange, during which the server sends its public host key (or a certificate chain). The SSH client must verify this host key to ensure the server is authentic and prevent man-in-the-middle (MITM) attacks. The known_hosts file, conventionally located at ~/.ssh/known_hosts per user or /etc/ssh/ssh_known_hosts system-wide (the latter managed by administrators), stores previously encountered host keys along with their associated hostnames (or IP addresses) and key types (e.g., ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519). The file format is simple: each line contains the host specification (hostname or hash), the key type, and the Base64-encoded public key. The host specification may be a plain hostname, an IP address, a comma-separated list, or a hashed hostname (using a salt and HMAC-SHA1) to prevent hostname leakage if the file is stolen. The SSH client checks known_hosts before a connection proceeds: on the first connection, the client prompts the user to accept the unknown host key and stores it; on subsequent connections, the client performs a comparison. If the key matches, the connection proceeds. If the key does not match, the client warns the user with a message like "REMOTE HOST IDENTIFICATION HAS CHANGED" and terminates the connection by default (StrictHostKeyChecking can be set to 'yes', 'no', or 'accept-new' in ssh_config). If StrictHostKeyChecking is set to 'no', the client will automatically accept any new key, which is dangerous and should only be used in controlled lab environments.

Administrators commonly manage known_hosts through the ssh-keyscan utility, which can retrieve host keys from remote servers and pre-populate known_hosts files for all client machines in an enterprise. The file can also be distributed via configuration management tools like Ansible, Puppet, or Chef. Another important aspect is key rotation: when a server's host key is regenerated (e.g., after a security incident or OS reinstallation), administrators must update the known_hosts files on all clients. They can use the ssh-keygen -R hostname command to remove the old key from known_hosts, then allow the client to accept the new key on next connection. The known_hosts file can grow large over time, so periodic cleanup is advisable. The file supports wildcards, patterns (e.g., *.example.com), and negation patterns for advanced host matching. There is also a separate file called authorized_keys, often confused with known_hosts, which serves a different purpose: authorized_keys stores the public keys of users who are allowed to log into a given account, while known_hosts stores the public keys of servers that the client trusts. Understanding this distinction is essential for IT certification exams and real-world administration.

Real-Life Example

Imagine you are a delivery driver for a package company. You have a clipboard that lists all the addresses you deliver to, along with a small photo of the front door for each address. The first time you go to a new house, you take a photo and add it to your clipboard. That photo helps you know it's the right house the next time you visit. The known_hosts file works the same way, but instead of photos, it stores digital fingerprints of servers. When you connect to a new server for the first time, SSH asks you to confirm that you trust the fingerprint, like a delivery driver taking a photo. After that, every time you connect, SSH compares the server's fingerprint to the one stored in known_hosts. If the photo on your clipboard shows a blue door, but the house now has a red door, you would be suspicious and check the address again. Similarly, if the server's fingerprint changes, SSH warns you that something might be wrong.

Let's say you are a system administrator and you manage 50 different servers. Each server has a unique digital fingerprint. Your known_hosts file is like a master list of all those fingerprints. One day, you upgrade the operating system on one server, which regenerates its host key. The next time you SSH into it, your client says "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED." That is like arriving at a house where the photo shows a white picket fence, but the house now has a brick wall. You need to decide: did the owner renovate, or did someone else move in? In the server world, you know you just upgraded the OS, so you can safely accept the new key. But if you had not done any changes, that warning might indicate an intruder. This analogy shows how known_hosts gives you a way to detect changes and maintain trust over time.

In everyday life, we also recognize people by their faces or voices even before they speak. known_hosts is like a short-term memory for servers: it lets your computer recognize a server by its key, just as you recognize a friend by their face. Without it, your computer would have no memory and would treat every connection as a first meeting, which is insecure.

Why This Term Matters

The known_hosts file matters because it is a primary defense against MITM attacks in SSH, a protocol used everywhere from server administration to cloud infrastructure management. IT professionals rely on SSH daily to log into remote servers, transfer files with SCP and SFTP, and automate deployments. Without host key verification, an attacker who intercepts the network traffic could place a fake server between the client and the real server. The attacker could then capture login credentials, execute commands, or exfiltrate data. The known_hosts file provides a simple, stable mechanism to authenticate servers without requiring a certificate authority or external directory, though those can also be integrated. It is a trust-on-first-use (TOFU) model, which works well for many scenarios but also has limitations: if the first connection is compromised, the attacker's key is stored as trusted. That is why administrators in high-security environments often pre-populate known_hosts with verified keys using ssh-keyscan or distribute them via secure channels.

In practice, managing known_hosts is a routine part of system administration. When servers are rebuilt, decommissioned, or have their host keys rotated, administrators must update known_hosts on all client machines. If not done correctly, users will face disruptive warnings and may inadvertently bypass checks by setting StrictHostKeyChecking to 'no', which defeats the purpose. Many organizations automate known_hosts management through configuration management tools, ensuring consistency and security. The file also integrates with SSH certificates: if a server presents a certificate signed by a trusted CA, the client can validate it without needing a specific entry in known_hosts, which simplifies large-scale deployments.

For certification candidates, understanding known_hosts is essential because it appears in questions about SSH security, remote access, and troubleshooting. You need to know the file location, format, how key comparison works, and how to manage keys with commands like ssh-keygen, ssh-keyscan, and ssh-copy-id (although the latter touches authorized_keys). Knowing the difference between known_hosts and authorized_keys is a common exam trap. Ultimately, known_hosts is a small file with a big job, and mastering it is a hallmark of a competent IT professional.

How It Appears in Exam Questions

Questions about known_hosts typically fall into three categories: definition, scenario-based troubleshooting, and command-line knowledge. In definition questions, you might be asked: 'What is the purpose of the known_hosts file in SSH?' The answer is to store the public keys of remote servers to verify their identity. Another variant: 'Which of the following files is used to prevent man-in-the-middle attacks during SSH connections?' The answer is known_hosts. You may also get a multiple-choice question where you must pick the correct file path: ~/.ssh/known_hosts or /etc/ssh/ssh_known_hosts.

Scenario questions are more common. For example: 'An administrator attempts to SSH into a server and receives the following message: "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" What should the administrator do first?' The correct answer is to verify whether the server's host key was recently regenerated or if a security incident may have occurred. Then they can remove the old key with ssh-keygen -R and accept the new key, or investigate further. Another scenario: 'A junior admin runs ssh-keyscan -H server.example.com and appends the result to ~/.ssh/known_hosts. What is the purpose of the -H flag?' Answer: To hash the hostname, making it less readable.

Command-line knowledge questions often ask: 'Which command removes the entry for a server from the known_hosts file?' Options: ssh-keygen -R, ssh-keyscan -d, ssh-add -d, or ssh-copy-id. The correct command is ssh-keygen -R. They might also ask: 'Which SSH configuration file determines the behavior when a host key is not found in known_hosts?' Answer: ssh_config (or the user-level ~/.ssh/config). And the directive is StrictHostKeyChecking. They may ask about the possible values: yes, no, accept-new, or ask (default).

Troubleshooting questions sometimes present a situation where a user can SSH into a server from one client but not from another, and the reason is that the second client does not have the host key in its known_hosts, or the key differs. Also, questions about automation: 'An Ansible playbook that uses SSH to connect to managed nodes fails with a host key verification error. How should the known_hosts file be managed to avoid this?' The answer might involve pre-populating known_hosts or disabling StrictHostKeyChecking (though the latter is discouraged). You could also be asked about the difference between user-level and system-wide known_hosts files. Overall, if you can explain the file format, understand the TOFU model, and know the common commands, you can handle these questions confidently.

Practise known_hosts Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are starting a new job as a junior IT support specialist at a company called TechFlow. One of your tasks is to help developers troubleshoot SSH connection issues. A developer, Sarah, comes to you saying she cannot connect to the main application server named 'app01.techflow.com'. She has been connecting to it for months, but today she is getting a scary warning message that says 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!' She is worried that someone might be hacking the server. You look at the message carefully. It shows that the server's key fingerprint is different from the one stored in her known_hosts file. You ask Sarah if any changes were made to the server recently. She remembers that the server was rebuilt last night as part of a security patch update. You explain that when a server's operating system is reinstalled, a new host key is generated automatically. This is like if a house were painted a different color after renovation. The changed fingerprint does not necessarily mean an attack; it just means the old fingerprint does not match the new one.

Now you need to fix the problem. You open a terminal on Sarah's computer and run the command: ssh-keygen -R app01.techflow.com. This removes the old key for that server from her known_hosts file. Then you tell Sarah to try SSH again. When she connects, SSH will not find any key for that server in known_hosts, so it will prompt her to accept the new key. She types 'yes', and the connection succeeds. You also show her that the new key is now stored. You mention that if this happened on multiple machines, you could use a configuration management tool or a script to update all known_hosts files at once. Sarah is relieved and thanks you.

The next day, another developer, Mike, reports the same error for a different server. This time, you check your records and see that no changes were made to that server. You become suspicious. You ask Mike to stop the connection and you escalate the issue to the security team. It turns out that an attacker was trying to intercept Mike's connection. Because known_hosts alerted the mismatch, the attack was stopped. This scenario shows how knowing how to handle known_hosts-both the normal update case and the security incident-is a critical skill for any IT support role.

Common Mistakes

Confusing known_hosts with authorized_keys

known_hosts stores the public keys of remote servers that the client trusts. authorized_keys stores the public keys of users who are allowed to log into a particular account. They serve opposite directions of authentication: known_hosts verifies server to client, authorized_keys verifies client to server.

Remember: known_hosts = hosts you know (servers). authorized_keys = keys that authorize users. Use the mnemonic: 'known_hosts has host keys, authorized_keys has user keys.'

Thinking known_hosts is the same across all users

Each user has their own known_hosts file at ~/.ssh/known_hosts. There is also a system-wide file at /etc/ssh/ssh_known_hosts, but they are separate. A host key accepted by one user is not automatically trusted by another user.

If a different user on the same computer cannot connect, check their own known_hosts file. You may need to update it individually or use the system-wide file.

Deleting the entire known_hosts file to fix a single mismatch

Deleting the whole file removes all trusted host keys, which means the user will be prompted to accept every server again. This is insecure because it forces trust-on-first-use for all servers, potentially accepting a malicious server if the timing is wrong. It also disrupts workflow.

Use ssh-keygen -R hostname to remove only the problematic key. This is precise and safe.

Setting StrictHostKeyChecking to 'no' in production

When StrictHostKeyChecking is set to 'no', the SSH client will automatically accept any host key, including one from a malicious server. This completely bypasses the security provided by known_hosts and opens the door to MITM attacks.

Never disable StrictHostKeyChecking in production. Use 'accept-new' if you must, but the best practice is to pre-populate known_hosts with verified keys.

Assuming the 'host key changed' warning always means an attack

While a changed host key can indicate a man-in-the-middle attack, it can also be legitimate, such as after an OS reinstall, a server migration, or manual key rotation. Panicking without investigation leads to unnecessary work or even missing a real attack.

Always verify if the server had any changes. If it did, remove the old key and accept the new one. If not, treat it as a potential security incident and escalate.

Exam Trap — Don't Get Fooled

{"trap":"The exam question asks: 'A user wants to prevent SSH from prompting to accept a new host key every time a server is rebuilt. Which configuration change should the administrator make?' The answer options include setting StrictHostKeyChecking to 'no' or 'accept-new'."

,"why_learners_choose_it":"Learners think that disabling the warning will make it easier to connect to servers that change keys frequently. They may not realize the security risk.","how_to_avoid_it":"The correct approach is not to disable StrictHostKeyChecking, but to actively manage known_hosts: pre-populate the file with the new host key using ssh-keyscan, or use a configuration management tool.

On an exam, the 'best practice' answer is to distribute trusted keys, not turn off security."

Commonly Confused With

known_hostsvsauthorized_keys

authorized_keys is a file in the .ssh directory on the server that contains the public keys of users who are permitted to log in. known_hosts is a file on the client that contains the public keys of servers that the client verifies. They are not interchangeable.

authorized_keys is like a guest list at a club door (server). known_hosts is like your phone's contact list (client) verifying the club's identity.

known_hostsvsid_rsa (private key)

id_rsa (or id_ed25519, etc.) is a user's private key used for client authentication, stored on the client machine. known_hosts contains server public keys, not user private keys. They are used in different phases of the SSH handshake.

Your private key (id_rsa) is like your national ID card you show to prove who you are. known_hosts is like the police database that verifies the officer's badge (server) is real.

known_hostsvsssh_config

ssh_config is a configuration file that sets options for the SSH client, such as port number, user, and host key checking policies. known_hosts is a data file that stores the actual host keys. One is configuration, the other is a database of trust.

ssh_config is like the settings menu on your phone that decides whether to ask before using data. known_hosts is like the actual list of trusted contacts.

known_hostsvsssh-keyscan

ssh-keyscan is a command-line tool used to retrieve public host keys from remote servers. It does not store anything; it outputs the keys to stdout. known_hosts is the file where those keys are stored. They work together but are distinct.

ssh-keyscan is like a camera that takes a picture (key) of a server. known_hosts is the physical photo album where you store that picture.

Step-by-Step Breakdown

1

Client initiates SSH connection

The user runs a command like 'ssh user@server.example.com'. The SSH client software starts and begins the transport layer protocol handshake with the server.

2

Server sends its public host key

During the key exchange phase, the server sends its public host key (or a certificate) to the client. This key uniquely identifies the server and is part of the SSH host key pair generated when the SSH daemon is installed.

3

Client checks known_hosts file

The client looks up the server's hostname (or IP address) in its known_hosts file (typically ~/.ssh/known_hosts). It checks if there is an entry matching that host and whether the key matches exactly.

4

Decision based on match result

If the key matches, the connection proceeds to authentication. If the key does not match, the client warns the user with a 'host key changed' message and terminates the connection by default. If no entry exists, the client prompts the user to accept the unknown key (if StrictHostKeyChecking is 'ask' or 'yes').

5

User accepts or rejects a new key

If the user accepts a new key, the client appends the server's hostname, key type, and public key to the known_hosts file. This entry will be used for future verifications. If the user rejects, the connection is aborted.

6

Ongoing management and rotation

When a server's host key is changed (e.g., after an OS reinstall), the old entry in known_hosts must be removed (using ssh-keygen -R) before a successful connection can be made. Alternatively, administrators can pre-populate known_hosts with keys from authenticated sources.

Practical Mini-Lesson

The known_hosts file is a cornerstone of SSH security, but it requires understanding and active management. As an IT professional, you will encounter it in daily operations, automation, and troubleshooting. Let's walk through a deep dive into what you really need to know.

First, understand the file location and permissions. The user-level file is at ~/.ssh/known_hosts. The system-wide file is at /etc/ssh/ssh_known_hosts. Both should have permissions 644 (owner read/write, group/others read) to ensure they are not tampered with. The ~/.ssh directory should have permissions 700, and the files inside should be 600 or 644. Incorrect permissions can cause SSH to ignore the file.

The file format: each line contains three fields: the host specification (which can be a hostname, IP, [hostname]:port, or a hashed hostname), the key type (e.g., ecdsa-sha2-nistp256, ssh-ed25519, ssh-rsa), and the Base64-encoded public key. For example: server.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF...

Hashed hostnames look like |1|$salt|$hash and protect privacy. You can generate them with ssh-keyscan -H.

In practice, you will use several commands. ssh-keyscan retrieves keys from remote servers. Use it to populate known_hosts for all clients. For example: ssh-keyscan server.example.com >> ~/.ssh/known_hosts. But be careful: if the network is compromised, ssh-keyscan itself could be fooled. Always verify keys out-of-band in high-security environments.

ssh-keygen -R hostname removes a key. ssh-keygen -F hostname finds a key in known_hosts. ssh-keygen -H hashes all hostnames in the file. These are essential for cleanup and management.

The StrictHostKeyChecking directive in ssh_config controls behavior. 'ask' (default) prompts the user. 'yes' will terminate connection if the key is unknown or changed-very secure but can break automation. 'accept-new' will automatically accept unknown keys but will still warn on changed keys. 'no' disables all checking-dangerous. For automation, many administrators set StrictHostKeyChecking to 'accept-new' combined with pre-populating known_hosts, or they use SSH certificates.

What can go wrong? A common problem is that the known_hosts file accumulates many entries over time, including keys for servers that no longer exist. This can cause confusion when IP addresses are reused. Also, if a user has multiple known_hosts files (e.g., from different config files), SSH may not check the one you expect. Use the -v flag with SSH to see which known_hosts file is being checked.

For enterprise environments, distribute known_hosts via configuration management. For example, an Ansible playbook can run ssh-keyscan on a list of servers and update a central known_hosts file, which is then synced to all clients. This ensures consistency and reduces the chance of a host key warning appearing at a critical moment.

Finally, remember that known_hosts is not a complete security solution. It uses a trust-on-first-use model, which is vulnerable if the first connection is intercepted. For higher assurance, use SSH certificates signed by a trusted certificate authority (CA). The known_hosts file can then be bypassed in favor of the CA trust store. But even with certificates, understanding known_hosts is still important for backward compatibility and troubleshooting.

Troubleshooting Clues

Symptom:

Symptom:

Symptom:

Symptom:

Memory Tip

Known_hosts = 'Hosts you know'. It's like a contact list of servers. If a server changes its key, you know something's up. Authorized_keys = 'Keys that authorize users'-they are on the server, not the client.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)
XK0-005XK0-006(current version)

Related Glossary Terms

Quick Knowledge Check

1.What is the primary purpose of the known_hosts file?

2.Which command removes the entry for a server named 'db1' from known_hosts?

3.A user sets StrictHostKeyChecking to 'no' in their SSH config. What is the security implication?