Add a Key to the Client Known Hosts List

By default, the first time a client attempts to connect to the server, the user sees a message indicating that this is an unknown host. This message includes a fingerprint that identifies the host key. To be sure that this is actually the correct host key, the user should contact the host system administrator who can confirm that this is the correct fingerprint. Without this verification, the client is at risk of a "man-in-the-middle" attack. To simplify initial connections and eliminate the risk created by allowing users to accept unknown keys, you can manually add the host key to the client known hosts list.

To add the server key to the client known hosts list

Note: You will need a correctly named copy of the server's public host key. Client copies of known host keys use the following file name format:


Where port is the port used for the ssh connection, host is the host name, and IP is the host IP address. (Earlier versions used, and this format is still supported.)

An easy way to obtain a correctly named key is to make an initial connection to the server and allow the client to accept and name the host key. You can then distribute this copy of the host key. This is the technique used in the following procedure.

  1. From your server, use ssh-keygen to display the fingerprint of the server's public host key:

    ssh-keygen -F /etc/ssh2/

  2. From a client that has not yet connected to this host, initiate a connection to your server:

    ssh myname@myserver

    You'll see a message saying that the host key is not in the host key database.

  3. Confirm that the host key fingerprint in this message matches the actual host key fingerprint, and enter 'yes' to accept the host key.

    You will see a message identifying the name and location of the host key you just accepted. For example:

    Host key saved to /home/joe/.ssh2/hostkeys/key_22_myserver,

  4. Copy this key to the known host list of your client computers:
    • To add this host key for all users of the client computer, copy the host public key file to /etc/ssh2/hostkeys.


    • To add this host key for an individual user, copy the host public key file to ~/.ssh2/hostkeys.
  5. (Optional) Enable StrictHostKeyChecking so that users cannot accept unknown host keys. You can add the following line to a system-wide configuration file (/etc/ssh2/ssh2_config), or a user-specific configuration file (~/.ssh2/ssh2_config).


Related Topics

Public Key Authentication Overview

Create a New Host Key

Display the Fingerprint of the Host Public Key