Linux Networking

hash known_hosts in Linux

When using SSH to connect to other hosts a file containing the accepted public keys is saved in your home directory, especially ~/.ssh/known_hosts. This file contains beside the public key the IP / Hostname of the connected servers. These informations can be critical, if any other program or user will read the known_hosts file. One way to protect these informations is to hash the IP / Hostname part of the file.

To activate SSH to do this, is to add the following config entry into your ssh config. If you cannot add it system wide you can use your local ssh config file: ~/.ssh/config

HashKnownHosts yes

You can use the following command to achieve this.

echo "HashKnownHosts yes" >> ~/.ssh/config

Now SSH client will hash newly generated entries automatically. To update all given entries you should run:

ssh-keygen -H -f ~/.ssh/known_hosts

Then check if the conversion was successful and after that delete the old file:

rm ~/.ssh/known_hosts.old