Image of the glider from the Game of Life by John Conway
Skip to content

SSH Known Hosts Fingerprints and Hostnames

i just came across this today, so I thought I'd share. It's been more than a month since my last post (which is really out of my element), so I'm definitely due. However, I make no promises about making more frequent posts in the future.

Today, someone came into the #unix channel on Freenode asking how they could extract the fingerprints out of the hosts in their ~/.ssh/known_hosts file. I didn't know, so I dug through the man page for ssh-keygen, and found this:

     -f filename
             Specifies the filename of the key file.

     -l      Show fingerprint of specified public key file.  Private RSA1 keys
             are also supported.  For RSA and DSA keys ssh-keygen tries to find
             the matching public key file and prints its fingerprint.  If
             combined with -v, an ASCII art representation of the key is
             supplied with the fingerprint.

So, I ran "ssh-keygen -lf ~/.ssh/known_hosts", and this was the output (truncated to 13 out of 305 hosts):

2048 0e:2f:c4:3f:11:86:45:5d:4a:f8:a7:a6:c6:bb:04:f4 |1|qE2muY+C6GhzdVv20z6rGNbL6TY=|okzJFiBkpOMm2u33ygisBgO63bs= (RSA)
2048 0e:2f:c4:3f:11:86:45:5d:4a:f8:a7:a6:c6:bb:04:f4 |1|Pt2nF/mO8PWNVFT7fBgGxkCfFz8=|3mM7fAOVUvfB0tuEeO5bzwRdO20= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|UHlVwxTRMPhsWM2rg/sXCjzDWug=|ArerYuge2W4NoljJ5fvgzf1wmpg= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|j0L5rCKoIbyz13t+7Zsu57y4jLs=|fHcylAV+0zqMKs8MriIX8i5S8bM= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|3HP8wfop73R6VYXOAxMKwCnlU6Y=|05lCXAbLrac4XSocPhI4oJaa7J0= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|INI05isdfVGnWY4H47j/FFL7OPI=|4zFlfNYfFe+kYsqupGzOjhcyzFM= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|WTZzXsWERX2BEXHuvjgJPlUF+T0=|ohrpuqni56UYtV0kCvcVJLhf9ug= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|fwCYfyN1k/+Hf0Jnt8LuHhxNgG4=|B7PLeP2YbjuglkxCAt2fr+A7Z3s= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|KcZCPAkZgxvm0rE1drgzT4KhBnk=|AyFmNCZvvH7yaEtqgLRV8z7ahlQ= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|oyLpDFv8/DmOYh3M9qeIT+K4ChU=|v5+ejn7XzhbWR6Cjj7YUr1v1pTI= (RSA)
2048 e7:13:81:0a:e0:9f:95:d5:ed:d3:86:93:da:5f:4b:ca |1|CLxr/50w6rVc3LC7vO6bNRbfKIE=|FopfmJdGm3pcxxlV31tvF4MP6pU= (RSA)
2048 e7:13:81:0a:e0:9f:95:d5:ed:d3:86:93:da:5f:4b:ca |1|FUWVoBHcJdztemRCRN+lJB9/9JE=|ePT0hoPdZsaN7SLtJgyiNHa0V1I= (RSA)
2048 6c:00:05:12:94:7e:6a:3f:96:8b:78:9d:1f:89:3c:7a |1|eCK/la051b7TQVyJo8+LHu3iVpU=|a92e1TT8q7kykBaF5DZXNKieTXs= (RSA)

Cool, except how do I know which key belongs to which host? Well, apparantly Debian GNU/Linux (and likely Ubuntu) hashes the hostname and/or IP address before adding it to the known_hosts file. Of course, because it's hashed, there isn't an inverse function to get the hostname and/or IP address back, so you would have to remove those entries, and reconnect to your hosts if you wanted to see them.

Why are they hashed, I wondered? It didn't take long for me to realize that your known_hosts file might be accessible to everyone on the system. Because they too could run "ssh-keygen -lf known_hosts", they could see what hosts/IPs you've connected to, and use that against you. So, it makes sense to hash that information, if you really don't need it.

I have 305 hosts in my personal known_host file, and I noticed a lot of IP addresses and hostnames in the file. Then I realized these all came from RHEL 5. So, why is Debian GNU/Linux hashing the hostname/IP, but RHEL is not? Check out your "/etc/ssh/ssh_config" file. On Debian, you will see the last four lines as something similar to:

    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

Notice the "HashKnowHosts yes" option? Yup, that's your culprit. Check on RHEL and Fedora, it's not even listed in the file. Of course, you can override this behavior by placing the configuration option in your "~/.ssh/config" file. Also, if you're on a Fedora-based operating system, and you want to hash your hosts, you can make the change rather easy. According to the ssh-keygen man page:

     −H      Hash a known_hosts file.  This replaces all hostnames and
             addresses with hashed representations within the specified file;
             the original content is moved to a file with a .old suffix.  These
             hashes may be used normally by ssh and sshd, but they do not
             reveal identifying information should the file's contents be
             disclosed.  This option will not modify existing hashed hostnames
             and is therefore safe to use on files that mix hashed and
             non-hashed names.

So, pull up your terminal, and type:

ssh-keygen -H && rm ~/.ssh/known_hosts.old

This will hash all the hosts as well as rename the known_hosts file to "known_hosts.old". Of course, remove that file to prevent people from getting access to the hosts you connect to after making the change.

Hope this is helpful to someone somewhere.

{ 7 } Comments

  1. Kevin using Firefox 3.6.12 on Ubuntu | December 5, 2010 at 12:12 am | Permalink

    if you do

    ssh-keygen -lf ~/.ssh/known_hosts -F hostname

    it will only list ones that match the hostname. This work even when the hostnames are hashed.

  2. jimcooncat using Firefox 2.0.0.22pre on Ubuntu | December 5, 2010 at 3:20 am | Permalink

    "It didn’t take long for me to realize that your known_hosts file might be accessible to everyone on the system."
    On my Ubuntu system, permissions for that file are -rw-r--r--

    I don't believe that the ssh package has anything to do with this, but that Ubuntu (and other distros) makes user home directories readable by other users.
    http://wwww.ubuntuforums.org/showthread.php?t=1210175

    So I'm guessing that because of this *stupid* default, the folks that write ssh decided it was best to hash known_hosts and make it harder to deal with?

    It's simple to pick "encrypted home directories" when installing a system, why shouldn't it be simple to pick "private home directories", without encryption?

    Just ranting to the world, Aaron. But I hope it sparks more discussion on this issue. Programs shouldn't have to be made harder to use because distros don't care about security.

  3. Aaron using Google Chrome 9.0.597.0 on Mac OS | December 5, 2010 at 8:10 am | Permalink

    @Kevin- Very good. Thank you!

    @jimcooncat- I was trying to be nice about it, however Fedora-based operating systems should be hashing the hosts, rather than leaving them in plain text. Debian (and as a result Ubuntu) are doing the right thing here. Yes, you could have your home directory with permissions "drwx------" if you wanted, and I understand that thinking, especially on multiuser environments. I prefer the hashing mechanism, especially after learning "ssh-keygen -lf ~/.ssh/known_hosts -F hostname".

  4. Sven using Debian IceWeasel 3.6.12 on GNU/Linux | December 5, 2010 at 9:13 am | Permalink

    Hashing the hostnames in known_hosts has one drawback (at least for me): tab-completion the hostname while using scp, sftp and ssh does no longer work.

  5. Alex using Firefox 3.6.12 on Ubuntu 64 bits | December 5, 2010 at 2:44 pm | Permalink

    Umm...I'm pretty sure that "ssh-keygen -H && rm ~/.ssh/known_hosts.old" (taken as a whole) will not have the effect of renaming known_hosts to known_hosts.old.

  6. Aaron using Google Chrome 6.0.472.63 on GNU/Linux | December 5, 2010 at 6:56 pm | Permalink

    @Alex- "ssh-keygen -H' already renames the file. The point of removing it, is so you don't leave anything behind that could compromised.

  7. cdmiller using Firefox 10.0.2 on Mac OS | March 7, 2012 at 1:26 pm | Permalink

    Thanks. I was looking for the fingerprint of my own machine, now I realize that I can get it with:
    ssh-keygen -l -f .ssh/id_rsa.pub

{ 2 } Trackbacks

  1. [...] This post was mentioned on Twitter by toorghezi, Ubuntu World Wide. Ubuntu World Wide said: #ubuntu #linux Aaron Toponce: SSH Known Hosts Fingerprints and Hostnames: i just came across this today, so I th... http://bit.ly/eBsPDJ [...]

  2. [...] SSH Known Hosts Fingerprints and Hostnames [...]

Post a Comment

Your email is never published nor shared.

Switch to our mobile site