{"id":7808,"date":"2015-09-10T15:39:54","date_gmt":"2015-09-10T21:39:54","guid":{"rendered":"https:\/\/www.jumpcloud.com\/engineering-blog\/?p=353"},"modified":"2022-05-11T10:42:04","modified_gmt":"2022-05-11T14:42:04","slug":"managing-your-known-hosts-file","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file","title":{"rendered":"Managing your known hosts file"},"content":{"rendered":"\n

When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not. Imagine if you attempted to go to Amazon but someone managed to intercept your traffic? You could end up providing them your credit card and personal information, and you\u2019d be in a bad spot.<\/p>\n\n\n\n

The same is true for connecting to your remote servers using SSH. When you establish a connection from your client you need to know you’re actually communicating with your server and not someone spoofing your server and capturing your sensitive data. This is known as a \u201cman-in-the-middle\u201d attack.<\/p>\n\n\n\n

A man-in-the-middle attack is one where a bad guy has managed to insert themselves into the communication chain between you and your server. Note that this isn\u2019t all that unreasonable \u2014 network traffic typically jumps through several relay points before reaching its destination. If someone malicious is at one of those points listening for interesting traffic, they can pretend to be your remote server and steal your confidential information. They can even act as you on the remote server after you\u2019ve established your identity to it!<\/p>\n\n\n\n

So how do we prevent these attacks? We need to have a secure mechanism for identifying the other server \u2014 sounds like a perfect job for public key authentication. Basically if SSH has the remote server\u2019s public key, it can establish identity by requesting that the remote server sign a chunk of data with the associated private key. This is exactly analogous to the ceremony used by the remote ssh server to establish the user\u2019s identity subsequently, as seen in this webinar.<\/a><\/p>\n\n\n\n

Your SSH client has a list of these remote hosts\u2019 public keys stored in a \u201cknown_hosts\u201d file. By default each user has their own instance of this file, living under their home directory in ~\/.ssh\/known_hosts. With every remote connection it uses these keys to securely establish the identity of the remote host. If the keys don\u2019t match, you see this scary warning.<\/p>\n\n\n\n\n\n\n\n


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for test_machine has changed,
and the key for the corresponding IP address 54.86.96.53
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
81:c0:f0:b1:2f:e2:9d:69:93:7f:2b:47:44:8d:29:8a.
Please contact your system administrator.
Add correct host key in \/Users\/topher\/.ssh\/known_hosts to get rid of this message.
Offending RSA key in \/Users\/topher\/.ssh\/known_hosts:4
RSA host key for test_machine has changed and you have requested strict checking.
Host key verification failed.<\/p>\n\n\n\n<\/code>\n\n\n\n


At least they make it very clear that something is amiss!<\/p>\n\n\n\n

One fundamental question is \u201chow does this file get populated?\u201d Since this trust relationship is so important, how do we add new servers to the list?<\/p>\n\n\n\n

When you first connect to a new SSH server, your SSH client will let you know it doesn\u2019t know who this server is, and ask you if you want to trust it. Provided that you do trust it, it will add the key to the known_hosts file and subsequent connections will be based on this known identity.
—–
The authenticity of host \u2019test_machine (157.166.226.25)’ can’t be established.
RSA key fingerprint is 81:c0:f0:b1:2f:e2:9d:69:93:7f:2b:47:44:8d:29:8a.
Are you sure you want to continue connecting (yes\/no)? yes
Warning: Permanently added ‘test_machine, 157.166.226.25’ (RSA) to the list of known hosts.
—–<\/p>\n\n\n\n

See the problem here? How do you know the machine is correct on that first connection? What if an attacker is already in between you and the machine, and capturing everything? You\u2019re about to say you trust the incoming public key for all time. A MitM attack here can permanently compromise that machine and your communication with it.<\/p>\n\n\n\n

We need to have an \u201cout-of-band\u201d mechanism for delivering the public keys. While the SSH client will automatically populate the known_hosts with new hosts, this is a convenience mechanism that breaks security. Your user should already have this validation mechanism in place the first time they connect, which means the known_hosts must be pre-populated.<\/p>\n\n\n\n

You could do this manually \u2014 for every new server (and new user) securely copy the known hosts to the users\u2019 home directories using something like `scp` or by logging in with a privileged account. Obviously this doesn\u2019t scale very well, but it\u2019s a good quick solution.<\/p>\n\n\n\n

Configuration managers are another (better) solution. Using something like Puppet or Chef you can make sure that all your users are constantly provided with the latest version of all of their servers public keys. Right now this is probably the best solution, although it does have the risk of making public keys manipulatable by anyone with access to the configuration manager scripts.<\/p>\n\n\n\n

Finally, you can put the onus on the users. Public keys are safe to share so long as you know to trust them. One alternative is that you, as operational manager, sends out a list of hosts public keys (or a known_hosts file) that is signed with your own private key. Assuming your colleagues have and trust your public key they can validate the integrity of the message and use it for their own known_hosts file.<\/p>\n\n\n\n

Trust and identity are fundamental to security. Establishing a connection to a remote server is a high-risk activity, and it should be done correctly. Blindly accepting the public key the first time you try to sign in is folly, and could expose you to a man-in-the-middle attack. Be sure to use one of the mechanisms above to propagate a server\u2019s public key \u201cout of band\u201d to securely establish identity in your network.<\/p>\n","protected":false},"excerpt":{"rendered":"

When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not.<\/p>\n","protected":false},"author":30,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[42],"tags":[],"collection":[2775],"platform":[],"funnel_stage":[3015],"coauthors":[2516],"acf":[],"yoast_head":"\nManaging your known hosts file - 探花大神<\/title>\n<meta name=\"description\" content=\"When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Managing your known hosts file\" \/>\n<meta property=\"og:description\" content=\"When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file\" \/>\n<meta property=\"og:site_name\" content=\"探花大神\" \/>\n<meta property=\"article:published_time\" content=\"2015-09-10T21:39:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-05-11T14:42:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/01\/jumpcloud-logo-2023.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"627\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Greg Keller\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Greg Keller\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file#article\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file\"},\"author\":{\"name\":\"Greg Keller\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/33bf05bce1792138e1fac8878933c1f6\"},\"headline\":\"Managing your known hosts file\",\"datePublished\":\"2015-09-10T21:39:54+00:00\",\"dateModified\":\"2022-05-11T14:42:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file\"},\"wordCount\":874,\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file\",\"url\":\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file\",\"name\":\"Managing your known hosts file - 探花大神\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"datePublished\":\"2015-09-10T21:39:54+00:00\",\"dateModified\":\"2022-05-11T14:42:04+00:00\",\"description\":\"When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Managing your known hosts file\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"探花大神\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"探花大神\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"探花大神\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/33bf05bce1792138e1fac8878933c1f6\",\"name\":\"Greg Keller\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/bb829f9c68b309c7d66b61d4436f8afa\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1329dd1fe0f66c8a37039a19f3169d11?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1329dd1fe0f66c8a37039a19f3169d11?s=96&d=mm&r=g\",\"caption\":\"Greg Keller\"},\"description\":\"探花大神 CTO, Greg Keller is a career product visionary and executive management leader. With over two decades of product management, product marketing, and operations experience ranging from startups to global organizations, Greg excels in successful go-to-market execution.\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Managing your known hosts file - 探花大神","description":"When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file","og_locale":"en_US","og_type":"article","og_title":"Managing your known hosts file","og_description":"When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not.","og_url":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file","og_site_name":"探花大神","article_published_time":"2015-09-10T21:39:54+00:00","article_modified_time":"2022-05-11T14:42:04+00:00","og_image":[{"width":1200,"height":627,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/01\/jumpcloud-logo-2023.png","type":"image\/png"}],"author":"Greg Keller","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Greg Keller","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file#article","isPartOf":{"@id":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file"},"author":{"name":"Greg Keller","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/33bf05bce1792138e1fac8878933c1f6"},"headline":"Managing your known hosts file","datePublished":"2015-09-10T21:39:54+00:00","dateModified":"2022-05-11T14:42:04+00:00","mainEntityOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file"},"wordCount":874,"publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"articleSection":["News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file","url":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file","name":"Managing your known hosts file - 探花大神","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"datePublished":"2015-09-10T21:39:54+00:00","dateModified":"2022-05-11T14:42:04+00:00","description":"When you connect to a web site, you want to be assured that it\u2019s the correct one, and not a fake site pretending to be something it\u2019s not.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/blog\/managing-your-known-hosts-file#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Managing your known hosts file"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"探花大神","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"探花大神","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"探花大神"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/33bf05bce1792138e1fac8878933c1f6","name":"Greg Keller","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/bb829f9c68b309c7d66b61d4436f8afa","url":"https:\/\/secure.gravatar.com\/avatar\/1329dd1fe0f66c8a37039a19f3169d11?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1329dd1fe0f66c8a37039a19f3169d11?s=96&d=mm&r=g","caption":"Greg Keller"},"description":"探花大神 CTO, Greg Keller is a career product visionary and executive management leader. With over two decades of product management, product marketing, and operations experience ranging from startups to global organizations, Greg excels in successful go-to-market execution."}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/7808"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/comments?post=7808"}],"version-history":[{"count":2,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/7808\/revisions"}],"predecessor-version":[{"id":62882,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/7808\/revisions\/62882"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=7808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/categories?post=7808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/tags?post=7808"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/collection?post=7808"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/platform?post=7808"},{"taxonomy":"funnel_stage","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/funnel_stage?post=7808"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=7808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}