How to remove or update a single entry from the SSH known_hosts file

0 Comments

SSH holds fingerprints of your remote machines in the known_hosts file. Sometimes you might need to remove or update one of those entries. Jack Wallen shows you how.

data security

Image: Anawat Sudchanham/EyeEm/Getty Images

More about open source

The SSH known_hosts file contains fingerprints (generated from the remote machines SSH key) of the known machines you’ve logged into. If you SSH into a machine for the first time, you will be asked if you want to save that hosts’ fingerprint. Consider this file your personal SSH certificate authority. One reason this file is important is that it might prevent you from logging in to a different machine with the same IP address. Say, for example, someone has compromised one of the servers on your network. You’ve previously logged in to that machine with SSH, but the hackers have re-directed the IP address to another machine. Should that happen, and you attempt to log into the machine with the same IP address, SSH will fail because of a mismatch on the SSH keys. 

SEE: Security incident response policy (TechRepublic Premium)

That’s a bit of an extreme example, but it illustrates why known_hosts is important. It also illustrates a reason you might need to remove an entry from the file. Say, you’ve migrated your database server to a different IP. Your known_hosts file still has the key from the previous IP, so when you try to log into the new IP address, SSH will complain. Instead of clearing out the entire known_hosts file, you could simply remove that one line. 

Let me show you how.

What you’ll need

To make this work, you’ll need a machine running SSH with entries in the known_hosts file. That’s it. Let’s make this happen.

How to remove a single entry from known_hosts

Log in to the machine housing the known_hosts file. Let’s say the IP address associated with the entry to be removed is 192.168.1.71. To remove that line we’ll use the ssh-keygen command like so:

ssh-keygen -f ~/.ssh/known_hosts -R 192.168.1.71

The entry associated with 192.168.1.71 will be removed and a new backup copy of known_hosts will be saved as known_hosts_old. You can test this by removing the entry and then logging back into 192.168.1.71. You should be asked if you want to save the ECDSA key fingerprint for the remote host. If that happens, congratulations! You’ve successfully removed that single entry from known_hosts.

How to update an entry

Let’s say you’d rather not remove the entry but, instead, you’d simply like to update one. You can do that with the ssh-keyscan command. Let’s update the same server at the 192.168.1.71 IP address with the command:

ssh-keyscan -t ecdsa 192.168.1.71 >> ~/.ssh/known_hosts

This time, when you go to log into that IP address, you won’t be asked to save the fingerprint, because it’s still there (only it’s been updated).

And that’s how you can easily remove or update an entry in the SSH known_hosts file. Don’t just let that file become a garbage dump of entries, as that could wind up being a security issue.

Also see