Keywords: SSH | known_hosts | public_key_authentication
Abstract: This technical paper provides an in-depth analysis of adding SSH public keys to the known_hosts file between Linux servers. It begins by examining the standard format requirements, including host identifier prefixes and key type declarations. The paper then details the use of the ssh-keyscan tool for automatically generating correctly formatted entries. Special considerations for systems with HashKnownHosts enabled are discussed, such as rehashing with ssh-keygen -Hf. By comparing manual editing with automated approaches, the paper emphasizes format compatibility and security best practices to help system administrators avoid common configuration errors.
Understanding the known_hosts File Format
In the SSH protocol, the known_hosts file stores public keys of remote hosts for connection authenticity verification. The standard format requires each entry to begin with a host identifier, which can be an IP address or hostname, followed by the key type and public key content. For example, a typical entry appears as: 11.22.33.44 ssh-rsa AADGD.... It is crucial to remove any comments from the original public key file (usually usernames or descriptions separated by spaces) when adding to known_hosts, as retaining them can cause format errors.
Automating Entry Generation with ssh-keyscan
To avoid format errors from manual editing, the ssh-keyscan tool is recommended. This command automatically connects to the target server, retrieves its public key, and generates an entry compliant with the known_hosts format. The basic usage is: ssh-keyscan server-name >> ~/.ssh/known_hosts. The -t parameter can specify key types, such as rsa, dsa, or ecdsa. This method not only ensures correct formatting but also prevents selecting the wrong key when servers support multiple key types.
Special Handling for HashKnownHosts Configuration
Some Linux distributions, like Debian and Ubuntu, enable the HashKnownHosts yes option by default, which hashes host identifiers in the known_hosts file for enhanced privacy. In this configuration, adding plaintext entries directly may not work. It is necessary to execute ssh-keygen -Hf ~/.ssh/known_hosts to rehash the file. This command updates all entry hashes, ensuring new additions align with the existing hashed format.
Security Considerations and Alternative Approaches
While ssh-keyscan is the recommended method, in certain automation scenarios, using the SSH command itself to manage known_hosts can be considered. For instance, running ssh -o StrictHostKeyChecking=no server-name ls automatically adds the public key on the first connection. However, this approach requires caution, as StrictHostKeyChecking=no bypasses host verification, posing a risk of man-in-the-middle attacks. It should only be used temporarily in trusted networks or automation scripts.
Common Errors and Troubleshooting Tips
When manually editing the known_hosts file, common errors include retaining public key comments, missing host identifier prefixes, or mismatched key types. These often lead to SSH connection failures with messages like "Host key verification failed". After modifications, it is advisable to test connections using ssh -v for verbose output to identify specific errors. For duplicate entry issues, the sort -u command can deduplicate: sort -u ~/.ssh/known_hosts -o ~/.ssh/known_hosts.