How to remove or update a single entry from the SSH known_hosts file

2 years ago 302

SSH holds fingerprints of your distant machines successful the known_hosts file. Sometimes you mightiness request to region oregon update 1 of those entries. Jack Wallen shows you how.

data security

Image: Anawat Sudchanham/EyeEm/Getty Images

The SSH known_hosts record contains fingerprints (generated from the distant machines SSH key) of the known machines you've logged into. If you SSH into a instrumentality for the archetypal time, you volition beryllium asked if you privation to prevention that hosts' fingerprint. Consider this record your idiosyncratic SSH certificate authority. One crushed this record is important is that it mightiness forestall you from logging successful to a antithetic instrumentality with the aforesaid IP address. Say, for example, idiosyncratic has compromised 1 of the servers connected your network. You've antecedently logged successful to that instrumentality with SSH, but the hackers person re-directed the IP code to different machine. Should that happen, and you effort to log into the instrumentality with the aforesaid IP address, SSH volition neglect due to the fact that of a mismatch connected the SSH keys. 

SEE: Security incidental effect policy (TechRepublic Premium)

That's a spot of an utmost example, but it illustrates wherefore known_hosts is important. It besides illustrates a crushed you mightiness request to region an introduction from the file. Say, you've migrated your database server to a antithetic IP. Your known_hosts record inactive has the cardinal from the erstwhile IP, truthful erstwhile you effort to log into the caller IP address, SSH volition complain. Instead of clearing retired the full known_hosts file, you could simply region that 1 line. 

Let maine amusement you how.

What you'll need

To marque this work, you'll request a instrumentality moving SSH with entries successful the known_hosts file. That's it. Let's marque this happen.

How to region a azygous introduction from known_hosts

Log successful to the instrumentality lodging the known_hosts file. Let's accidental the IP code associated with the introduction to beryllium removed is 192.168.1.71. To region that enactment we'll usage the ssh-keygen bid similar so:

ssh-keygen -f ~/.ssh/known_hosts -R 192.168.1.71

The introduction associated with 192.168.1.71 volition beryllium removed and a caller backup transcript of known_hosts volition beryllium saved arsenic known_hosts_old. You tin trial this by removing the introduction and past logging backmost into 192.168.1.71. You should beryllium asked if you privation to prevention the ECDSA cardinal fingerprint for the distant host. If that happens, congratulations! You've successfully removed that azygous introduction from known_hosts.

How to update an introduction

Let's accidental you'd alternatively not region the introduction but, instead, you'd simply similar to update one. You tin bash that with the ssh-keyscan command. Let's update the aforesaid server astatine the 192.168.1.71 IP code with the command:

ssh-keyscan -t ecdsa 192.168.1.71 >> ~/.ssh/known_hosts

This time, erstwhile you spell to log into that IP address, you won't beryllium asked to prevention the fingerprint, due to the fact that it's inactive determination (only it's been updated).

And that's however you tin easy region oregon update an introduction successful the SSH known_hosts file. Don't conscionable fto that record go a garbage dump of entries, arsenic that could upwind up being a information issue.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article