203

I would like to see what hosts are in my known_hosts file but it doesn't appear to be human readable. Is it possible to read it?

More specifically there is a host that I can connect to via several names and I want to find out what the fingerprint I expect for it from my known hosts file.

Update: I'm using OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009

A line from my known_hosts file looks something like this,

|1|guO7PbLLb5FWIpxNZHF03ESTTKg=|r002DA8L2JUYRVykUh7jcVUHeYE= ssh-rsa AAAAB3NzaC1yc2EAAFADAQABAAABAQDWp73ulfigmbbzif051okmDMh5yZt/DlZnsx3DEOYHu3Nu/+THJnUAfkfEc1XkOFiFgbUyK/08Ty0K6ExUaffb1ERfXXyyp63rpCTHOPonSrnK7adl7YoPDd4BcIUZd1Dk7HtuShMmuk4l83X623cr9exbfm+DRaeyFNMFSEkMzztBYIkhpA2DWlDkd90OfVAvyoOrJPxztmIZR82qu/5t2z58sJ6Jm2xdp2ckySgXulq6S4k+hnnGuz2p1klviYCWGJMZfyAB+V+MTjGGD/cj0SkL5v/sa/Fie1zcv1SLs466x3H0kMllz6gAk0/FMi7eULspwnIp65g45qUAL3Oj
Colin Newell
  • 2,133

5 Answers5

231

You've got HashKnownHosts set to "yes" in your ssh_config file, so the hostnames aren't available in plaintext.

If you know the hostname you're looking for ahead of time, you can search for it with:

ssh-keygen -H -F hostname
# Or, if SSH runs on port other than 22. Use literal brackets [].
ssh-keygen -H -F '[hostname]:2222'

Here's the relevant section from the ssh-keygen(1) man page:

-F hostname

Search for the specified hostname in a known_hosts file, listing any occurrences found. This option is useful to find hashed host names or addresses and may also be used in conjunction with the -H option to print found keys in a hashed format.

Toby Speight
  • 8,678
pdo
  • 6,970
  • 3
  • 28
  • 19
  • 8
    Does hash known hosts essentially mean it's not possible? i.e. I need to know the name of the host in order to look at it's info? – Colin Newell Feb 13 '12 at 15:54
  • 15
    @ColinNewell That's right, you need to know the hostname(s). It's a security measure to keep an attacker from harvesting hostnames/IP addresses of other boxes you frequent if your machine is compromised. – pdo Feb 13 '12 at 15:58
  • 1
    Don't be scared when there is no output at all, but try not the full qualified hostname but the hostname instead. – math May 07 '13 at 17:58
  • 6
    Not sshd_config, but ssh_config. – Fish Monitor Nov 21 '13 at 10:31
  • 13
    @pdo - your command does not always work. If the host has SSH on port other than 22, then the format in known_hosts is different. Then you have to use the following command: ssh-keygen -H -F [host.example.com]:2222 – Martin Vegter Jul 13 '14 at 15:56
  • 2
    I wanted to find the rsa key for a specific host, so I ran this: ssh-keygen -l -f ~/.ssh/known_hosts -F <hostname> – isaaclw Sep 22 '15 at 21:31
  • 1
    I'm considering using this in a script, so I was testing return values. When it successfully finds a match, it returns one, and when it fails it returns 1. Any idea what it's supposed to be returning? The manpage doesn't state anything under the -F or -H flags, nor is there a section about what it returns. – Ungeheuer May 28 '18 at 00:49
  • @Ungeheuer That is strange. I see the same behaviour. You could do test $(ssh-keygen -H -F ssh.vps4.mikkel.ca | wc -l) -gt 0, which will exit 0 on a match, 1 on no match. – Mikkel Sep 04 '18 at 04:20
  • 2
    Oh, the square brackets in '[hostname]:2222' are literal. I unconsciously parsed them as indicating a variable to be substituted! If you are trying to find a server that's on a port other than 22 you do have to include those square brackets. – Tom Ellis Dec 23 '21 at 19:45
  • @Ungeheuer that bug seems fixed now. I get a return value of 0 for a successful match with OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020 – nealmcb Sep 24 '22 at 19:42
  • This answer is helpful, though this part isn't true: "You've got HashKnownHosts set to "yes" in your ssh_config file" – Mike B Mar 28 '23 at 01:34
24

For future searchers, this article (non-disclaimer: I'm not affilated) has a relatively simple Perl script to brute-force hashed IPs and hostnames in known_hosts.

http://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/

It allows starting from a particular IP address. It could also easily be modified to use a dictionary.

Also, in June 2014, the John the Ripper project added support for known_hosts cracking, which can take advantage of multiple CPU cores, GPUs, dictionary mangling, etc.

Overall, it's an exercise similar to password cracking, with a somewhat more predictable (or at least constrained) target space.

For private IPs, you can use this nmap snippet to generate a dictionary of all RFC1918 IP addresses to use as a dictionary:

nmap -sL -Pn -n 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 |\
    grep '^Nmap scan report for' | cut -d\  -f5 >ips.list

If public IPs are included, it may be more efficient to use rules. This hashcat ruleset may need additional work to adapt to work with JtR, but does most of the heavy lifting and should give you a starting point.

Hostnames are more idiosyncratic to the user and environment, but there are trends in host naming. Fully qualified hostnames can be correlated in DNS, /etc/hosts, shell history, etc. with any discovered IP addresses. Since destination systems can be entirely unrelated to the host system, public dumps of common domains and hostnames can be acquired from the DNS data from various Internet-wide scanning efforts (such as Censys).

Using John the Ripper is likely to be more efficient and scale better than the native SSH solution in the accepted answer for all but the most simple cases.

Royce Williams
  • 1,200
  • 1
    There is also a python implementation with similar features, can be found at: http://blog.tremily.us/posts/known_hosts/ – Lars Nordin Jun 12 '14 at 14:44
  • Lars Nordin, thanks for the tip. I submitted Remily's info to the John the Ripper team, and they added support for this in bleeding-jumbo: http://www.openwall.com/lists/john-users/2014/07/02/2 – Royce Williams Jul 13 '14 at 15:00
  • 1
    And here's how to do it with hashcat: http://up1ink.tumblr.com/post/132370869368/bruteforcingknownhostshashcat – Royce Williams Nov 03 '15 at 11:30
13

Does ssh-keygen -l -f ~/.ssh/known_hosts help? It shows the fingerprints for each host in that file. (Using -vyou also get nice little treasure maps, e.g.

+--[ RSA 2048]----+
|        .        |
|       + .       |
|      . B .      |
|     o * +       |
|    X * S        |
|   + O o . .     |
|    .   E . o    |
|       . . o     |
|        . .      |
+-----------------+
Luc
  • 3,610
sr_
  • 15,384
  • 4
    Not in the strictest sense no, it's all still base64. pdo's explanation of it being hashed suggests it's a one way thing so I guess I'm stuck unless I know the hostname. – Colin Newell Feb 13 '12 at 15:57
  • That helped me. What I wanted specifically was a combination. To find the previously verified ssh fingerprint, you can run: ssh-keygen -l -f ~/.ssh/known_hosts -F <hostname> – isaaclw Sep 22 '15 at 21:30
  • 3
    uh, ssh-keygen -l -F <hostname> is even simplier – isaaclw Sep 24 '15 at 15:08
7

Use the -l option to ssh-keygen to list fingerprints, and the -F option to search for a hostname in your known_hosts file.

$ ssh-keygen -l -F sdf.org
# Host sdf.org found: line 835 type RSA
2048 6e:cd:53:4f:75:a1:e8:5b:63:74:32:4f:0c:85:05:17 |1|9J47PEllvWk/HJ6LPz5pOB2/7rc=|ld0BtQh5V3NdhBHBwR/ZqSv8bqY= (RSA)

You can use ssh-keyscan to compare the fingerprint in your known_hosts to the one from the server.

$ ssh-keyscan sdf.org | awk '{print $3}' | base64 -d | openssl md5 -c
# sdf.org SSH-2.0-OpenSSH_7.1
# sdf.org SSH-2.0-OpenSSH_7.1
no hostkey alg
(stdin)= 6e:cd:53:4f:75:a1:e8:5b:63:74:32:4f:0c:85:05:17
xn.
  • 323
1

There is host string/ip at the beginning of each "known_hosts" line (before the "ssh-dss" or "ssh-rsa" string):

hostgn6 ssh-dss AAAB3NzaC1kc3MAAACBAIfGV4+/28Zr+dT/i+ifydUBS0dMRUjCtExIThOj3Yexynu+wSRGjMm4GfF+og2kAljZyUjhBFeM+WYbJzcDSDB [...] ==
yumyumn6.dik6.dir2g.some.net ssh-dss AAAAB3NzaC1kc3MAAACBAIfGV4+/28Zr+dT/i+ifydUBS0dMRUjCtExITh [...] ==
Ouki
  • 5,962
  • 2
    ...and thus awk '{print $1}' known_hosts does the trick. Be aware that servers listening on non-standard ports end up as, say, [some-server]:5555 in known_hosts. – sr_ Feb 13 '12 at 14:35
  • 4
    Unfortunately not in mine. Mine looks more like base64 encoded data. The data is also pipe delimited in my file. – Colin Newell Feb 13 '12 at 14:40
  • Which ssh software are you using then (we were assuming that you were using the almost-standart openssh software) ? – Ouki Feb 13 '12 at 14:49
  • I've added more details to my question. – Colin Newell Feb 13 '12 at 15:11
  • 9
    As stated by @pdo, your sshd as "HashKnownHosts" set to on, which may appear a bit anal, but security concern it is. And of course there is no way to simply reverse the hashes and get the hostnames from your "known_hosts". – Ouki Feb 13 '12 at 15:41
  • What I don't understand is how ssh decides when it needs to make a new entry, as opposed to reuse an existing one. In my known_hosts file there are clearly multiple entries for the same host, for example ec2-54-221-174-2.compute-1.amazonaws.com,64:ff9b::36dd:ae02 , ec2,54.221.174.2, 2607:7700:0:19:0:1:36dd:ae02 . Yes, the IP addresses are different here, but in other cases ssh seems able to coalesce lines with multiple IPs into a single line. How does this really work? (RTFM pointer appreciated.) – q.undertow Apr 03 '23 at 19:00