Decoding SSH known_hosts: Understanding Host Key Formats, Hashing, and Key Verification


7 views

A typical known_hosts entry contains three main components:

[hostname_or_hash] [key_type] [public_key]

The mysterious |1|...= prefix is actually a hashed representation of the hostname:

|1|base64_salt|base64_hashed_hostname| key_type public_key

Example of how OpenSSH generates this:

HMAC-SHA1(
  key: base64_decode(salt),
  data: hostname
)

Hostname hashing in known_hosts serves two purposes:

  • Prevents hostname leakage if the file is compromised
  • Maintains security while allowing host verification

You can create hashed entries manually:

ssh-keygen -H -f ~/.ssh/known_hosts

Or for a specific host:

ssh-keyscan -H github.com >> ~/.ssh/known_hosts

Here's how to examine an existing entry:

# View all known hosts (hashed)
cat ~/.ssh/known_hosts

# Find a specific host (if not hashed)
grep "github.com" ~/.ssh/known_hosts

To verify a host key manually:

ssh-keyscan github.com | ssh-keygen -lf -

When you get a "Host key verification failed" warning:

# Remove the old entry
ssh-keygen -R github.com

# Add the new key
ssh-keyscan github.com >> ~/.ssh/known_hosts

For automation scripts where you want to skip verification (not recommended for production):

ssh -o StrictHostKeyChecking=no user@host

Best practices for managing known_hosts:

  • Regularly audit your known_hosts file
  • Consider using VerifyHostKeyDNS when available
  • For critical systems, maintain a curated known_hosts file

When examining a typical known_hosts entry, we see three distinct components separated by spaces:

|1|KnbIIJIPrL/1p7ofUV74sK+j/Gc=|wrjOFnPgoF0afgH0PeRtRqSdgvc= ssh-rsa AAAAB3NzaC1yc2E...

The portion before the public key consists of two hashed fields:

|1|BASE64_HASH_OF_HOSTNAME|BASE64_HASH_OF_PUBLIC_KEY

Where:

  • |1| indicates HMAC-SHA1 hashing algorithm
  • The first Base64 string is the hashed hostname/address
  • The second Base64 string is the hashed public key

SSH provides hostname hashing to:

  • Prevent hostname leakage if the file is compromised
  • Maintain security while still enabling host verification
  • Support rotating hostnames in cloud environments

To verify a hashed entry manually:

ssh-keygen -H -F example.com

To generate a new hashed entry:

ssh-keyscan -H example.com >> ~/.ssh/known_hosts

When you see host key verification errors, you might need to:

# Remove an existing entry
ssh-keygen -R example.com

# Add new verified key
ssh-keyscan example.com >> ~/.ssh/known_hosts
  • Hashing prevents casual inspection but isn't encryption
  • Regularly audit your known_hosts file
  • Consider using SSH certificates for better management