What is actually in known_hosts?

To add to the answer above and your comment, There are four building blocks for ssh session

  1. Encryption( symmetric keys derived after key exhange per session)
  2. Data integrity (MAC using eg SHA,HMAC )
  3. Key exchange methods
  4. Public key methods or host key methods

the SSH algorithm negotiation involves a key exchange state machine which begins when the SSH_MSG_KEXINIT message along with algorithms list is sent.

The key exchange method or simply kex specifies session keys for encryption and host authentication host public keys(ssh-rsassh-dss ..) that are sent to the client. The step below are the basic steps that take place for kex using Diffie hellman key exchange algorithm

quoting the RFC https://www.rfc-editor.org/rfc/rfc4253

The following steps are used to exchange a key. In this, C is the client; S is the server; p is a large safe prime; g is a generator for a subgroup of GF(p); q is the order of the subgroup; V_S is S’s identification string; V_C is C’s identification string; K_S is S’s public host key; I_C is C’s SSH_MSG_KEXINIT message and I_S is S’s SSH_MSG_KEXINIT message that have been exchanged before this part begins.

  1. C generates a random number x (1 < x < q) and computes e = g^x mod p. C sends e to S.

  1. S generates a random number y (0 < y < q) and computes f = g^y mod p. S receives e. It computes K = e^y mod p, H = hash(V_C || V_S || I_C || I_S || K_S || e || f || K) (these elements are encoded according to their types; see below), and signature s on H with its private host key. S sends (K_S || f || s) to C. The signing operation may involve a second hashing operation.

  1. C verifies that K_S really is the host key for S (e.g., using certificates or a local database). C is also allowed to accept the key without verification; however, doing so will render the protocol insecure against active attacks (but may be desirable for practical reasons in the short term in many environments). C then computes K = f^x mod p, H = hash(V_C || V_S || I_C || I_S || K_S || e || f || K), and verifies the signature s on H.

the local database mentioned in step three in certain systems could be the .ssh/known_hosts file. So to answer your question the public key is sent to the client by the host during the key-exchange.

The following public key and/or certificate formats are currently defined:

ssh-dss REQUIRED sign Raw DSS Key

ssh-rsa RECOMMENDED sign Raw RSA Key

pgp-sign-rsa OPTIONAL sign OpenPGP certificates (RSA key)

pgp-sign-dss OPTIONAL sign OpenPGP certificates (DSS key)

Related Posts:

  1. Git: How to solve Permission denied (publickey) error when using Git?
  2. Putty: Getting Server refused our key Error
  3. Copying a local file from Windows to a remote server using scp
  4. ssh: The authenticity of host ‘hostname’ can’t be established
  5. ssh “permissions are too open” error
  6. Permission denied (publickey,keyboard-interactive)
  7. How to deal with “Pseudo-terminal will not be allocated because stdin is not a terminal.”
  8. ‘heroku’ does not appear to be a git repository
  9. How to solve “sign_and_send_pubkey: signing failed: agent refused operation”?
  10. How to fix request failed on channel 0
  11. How to scp in Python?
  12. Forward X11 failed: Network error: Connection refused
  13. PuTTY PSCP error “Local to local copy not supported” when username contains a slash
  14. Starting ssh-agent on Windows 10 fails: “unable to start ssh-agent service, error :1058”
  15. Git error: “Host Key Verification Failed” when connecting to remote repository
  16. Convert PEM to PPK file format
  17. Copying files using rsync from remote server to local machine
  18. How to read iPhone files without jailbreaking?
  19. SSH to Vagrant box in Windows?
  20. How to use Sublime over SSH
  21. Use qdel to delete all my jobs at once, not one at a time
  22. Automating command/script execution using PuTTY
  23. Public and Private Keys are Incorrect for user
  24. How to automate SSH login with password?
  25. ssh returns “Bad owner or permissions on ~/.ssh/config”
  26. How do I change my private key passphrase?
  27. Create a public SSH key from the private key?
  28. How do diff over ssh?
  29. “Add correct host key in known_hosts” / multiple ssh host keys per hostname?
  30. SSH use only my password, Ignore my ssh key, don’t prompt me for a passphrase
  31. ssh-agent forwarding and sudo to another user
  32. Non interactive git clone (ssh fingerprint prompt) [duplicate]
  33. How to check sshd log?
  34. What does “Warning: untrusted X11 forwarding setup failed: xauth key data not generated” mean when ssh’ing with -X?
  35. What’s the difference between authorized_keys and authorized_keys2?
  36. Is my password compromised because I forgot to hit Enter after ssh username?
  37. How do I make ssh fail rather than prompt for a password if the public-key authentication fails?
  38. ssh-keygen does not create RSA private key
  39. OpenSSH: Difference between internal-sftp and sftp-server
  40. What significance does the user/host at the end of an SSH public key file hold?
  41. SSH Suddenly returning Invalid format
  42. How can I prevent the warning No xauth data; using fake authentication data for X11 forwarding?
  43. How to recover from “Too many Authentication Failures for user root”
  44. SFTP logging: is there a way?
  45. Why does my OpenSSH key fingerprint not match the AWS EC2 console keypair fingerprint?
  46. Login without running bash_profile or bashrc
  47. How do I do Multihop SCP transfers between machines?
  48. scp without known_hosts check
  49. How do I validate an RSA SSH public key file (id_rsa.pub)?
  50. How can I run arbitrarily complex command using sudo over ssh?
  51. Add comment to existing SSH public key
  52. ssh connection takes forever to initiate, stuck at “pledge: network”
  53. What is the benefit of not allocating a terminal in ssh?
  54. bad ownership or modes for chroot directory component
  55. Why Block Port 22 Outbound?
  56. Ansible stuck on gathering facts
  57. Is it possible to use rsync over sftp (without an ssh shell)?
  58. SSH Allow Password For One User, Rest Only Allow Public Keys [duplicate]
  59. ssh : Permission denied (publickey,gssapi-with-mic)
  60. ssh connect Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
  61. Could not open a connection to your authentication agent
  62. How to establish ssh key pair when “Host key verification failed”
  63. AWS – Disconnected : No supported authentication methods available (server sent :publickey)
  64. How to set ssh timeout?
  65. Using putty to scp from windows to Linux
  66. mysql_config not found when installing mysqldb python interface
  67. X11 forwarding request failed on channel 0
  68. mysql_config not found when installing mysqldb python interface
  69. Pseudo-terminal will not be allocated because stdin is not a terminal
  70. How to download a file from server using SSH?
  71. connect to host localhost port 22: Connection refused
  72. channel 3: open failed: connect failed: Connection refused
  73. How to specify the private SSH-key to use when executing shell command on Git?
  74. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  75. Copying files from server to local computer using SSH
  76. key_load_public: invalid format
  77. Differences between SFTP and “FTP over SSH”
  78. EC2 ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
  79. Configure WordPress to connect to Mysql DB using SSH tunneling
  80. Failure to establish connection when provisioning via ansible-playbook server.yml
  81. Upgraded to php7.0, now ssh updates don’t work [closed]
  82. enable SFTP via SSH keys in wordpress
  83. Unable to update WordPress or install plugins/themes
  84. SSH Server with WordPress
  85. AWS Lightsail WordPress – connect to database on instance using mysqli
  86. How To Upload Existing WordPress Site To WordPress Multisite Using SSH
  87. SSH vs WordPress
  88. Configuring WordPress permissions for easy updates
  89. SSH git — How to pull a folder from repo, but not delete other directories & files on deployment server [closed]
  90. Can I automatically add a new host to known_hosts?
  91. Can I nohup/screen an already-started process?
  92. Is it normal to get hundreds of break-in attempts per day?
  93. how to disable SSH login with password for some users?
  94. What is a good SSH server to use on Windows? [closed]
  95. SSH keypair generation: RSA or DSA?
  96. Does getting disconnected from an SSH session kill your programs?
  97. How can I fully log all bash scripts actions?
  98. protocol version mismatch — is your shell clean?
  99. Why is SSH password authentication a security risk?
  100. Why is ssh agent forwarding not working?

Leave a Comment