Where is the known_hosts file for OpenSSH for Windows?

One of the servers I frequently log into via SSH has changed it’s IP address. So, now I’m getting man in the middle attack warnings when I try to use SSH via Windows Powershell and OpenSSH for Windows.

On a linux machine, I would just remove the offending line from

/.ssh/known_hosts . But, the

/.ssh directory seems to be empty.

Where is the known_hosts file for Powershell/OpenSSH? I’ve checked in C:\Program Files\OpenSSH\home\anschauung\.ssh , but that folder is empty as well.

2 Answers 2

On windows it is usually stored in the %USERPROFILE%\ssh or %USERPROFILE%\.ssh folders. If you type %USERPROFILE% into the Windows explorer address bar it will be expanded automatically. You can also try cd /d «%USERPROFILE%\ssh» or cd /d «%USERPROFILE%\.ssh» from a command prompt.

Had a similar issue not fixed with the user profile’s known_hosts, so for anyone looking: If you have installed git, TortoiseGit, etc on Windows, the location of the overriding known_hosts file is in your git folder, e.g. Programs/Git/.ssh or Programs (x86)/Git/.ssh.

As per the error message

open the known_hosts file in an editor like Sublime with admin rights, remove the corresponding entry for your server in Programs/Git/.ssh/known_hosts and the new key fingerprint will get added on the next connection.

Is there a definitive path for known hosts in Windows?

I’m working with libcurl as SFTP and its great. I want to check for the host am about to connect if it exists in the hosts file. In Linux I can easily find known hosts file as it is almost always in

/.ssh/known_hosts . I wanted to know if Windows maintains the same thing or there is no standard as to where such file resides in Windows.

3 Answers 3

/.ssh/known_hosts is a *nix path used by OpenSSH. The

is resolved to the account’s home directory, which is specified in /etc/passwd file. The home defaults to /home/username folder on Linux.

The OpenSSH is Linux software. It does not run on Windows on its own.

Though it can run on *nix emulation on Windows and there are also Windows clones of OpenSSH. So in the end, your question is about what emulation or clone do you run on the Windows server and how that maps/re-implements the access to

Win32-OpenSSH (Windows clone of OpenSSH by Microsoft): It goes to your Windows account profile folder. I.e. typically to C:\Users\username\.ssh .

Cygwin emulator: On my installations, all *nix-like paths are actually stored in C:\cygwin64 ( C:\cygwin on 32-bit).

So the /home/username/.ssh/known_hosts is in C:\cygwin64\home\username\.ssh\known_hosts .

Note that Windows SSH clients usually do not use the known_hosts . They have a different host key cache/storage.

For example widely used Windows SSH client, PuTTY, stores know host keys to Windows registry to HKCU\Software\SimonTatham\PuTTY\SshHostKeys key. For details, see the answer by @aneesh.

means . i.e. the system drive can be C: , D: , etc. but Users folder always exists. Then second

is because the username can be any — you replace it with your case. There is system variable %APPDATA% which will show specific path — open Prompt window and type SET to see it. – i486 Oct 5 ’15 at 11:24

Not sure about libcurl though. But, for PuTTY users this might be helpful if the PuTTY throws warnings such as WARNING: Server public key has changed So in window known_hosts for PuTTY is SshHostKeys.

that is stored at the HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys location. To reach that location Registry Editor supposed to be used.

• go to start look for regedit
• then you will see all the directories on the left pane under computer
• just like this image says go to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys location — location
• then you can modify like you wish Known host options — delete the registry value if you see a warning says WARNING: Server public key has changed
• If needed you can check the content in the SshHostKeys file using this command REG QUERY HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

And then the cache will be cleared. Will be everything new again for that particular entry

Что записано в файле .ssh/known_hosts

Каждый раз, когда мы подключаемся по протоколу ssh к серверу, ssh клиент проверяет совпадает ли публичный ключ для этого сервера с тем, который был прошлый раз (по крайней мере так рекомендует делать стандарт ssh). В OpenSSH список известных ключей серверов хранится в файле known_hosts. Под катом коротко о том, что и как конкретно там хранится.

Все эксперименты проводились на Linux (Debian/Mint/Ubuntu). За расположение и содержание файлов в других ОС не ручаюсь.

Подключаясь первый раз к ssh серверу, мы видим примерно такое сообщение:

The authenticity of host ‘192.168.0.2 (192.168.0.2)’ can’t be established.
RSA key fingerprint is SHA256:kd9mRkEGLo+RBBNpxKp7mInocF3/Yl/0fXRsGJ2JfYg.
Are you sure you want to continue connecting (yes/no)?

/.ssh/known_hosts добавится такая строка:

|1|CuXixZ+EWfgz40wpkMugPHPalyk=|KNoVhur7z5NAZmNndtwWq0kN1SQ= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeiF4OOOUhWvOYrh/e4q91+iz+i9S0s3M2LPq+GAhRlhKt5vKyEVd6x6m26cc98Y+SQXnCB9GWeVYk8jlFHEXnY4YWeWLDwXIhHBJYt5yz3j5Wkg95x+mPvO9FLSBk/Al2GbH5q6F+hZIlLmO6ciISmX4TtcG1sw4SwoTADrrhdM0OJd+c5CU8iqCbc6PznYbLZXCvqPZTWeSbTLUcUu1Ti+7xGwT8DF+tIyLFcU+zxd0QnwJIbNvewkHs0LsMOWFVPz/Nd0XiVXimX+ugCDBZ/4q8NUwH9SGzCMAvnnr+D1I8X2vhSuRsTsQXL5P3vf8elDxPdDrMJzNtlBCbLWzV

Тут через пробел записаны три элемента: хэш от имени сервера, название используемого ассиметричного алгоритма и публичный ключ сервера. Разберём их по очереди.

Имя сервера

На самом деле тут может быть записано и имя хоста в открытом виде или маска, задающая множество допустимых имён. Но у меня по умолчанию сохраняется хэшированое имя. Запись разделена на 3 части символом «|». Первая часть — алгоритм хэширования. «1» соответствует HMAC-SHA1 (других не видел). Вторая часть — соль (ключ для HMAC). Третья часть — собственно хэш (вывод HMAC).

Ассиметричный алгоритм

В RFC-4253 перечислены 4 ассиметричных алгоритма: ssh-dss (по стандарту обязательный, но считается слабым и начиная с OpenSSH7.0 выключен по-умолчанию), ssh-rsa (рекомендуемый), pgp-sign-rsa (опциональный), pgp-sign-dss (опциональный). По умолчанию в Linux генерируются ключи первых двух видов и для не упомянутых в RFC алгоритмов на эллиптических кривых. Предпочтение отдаётся последним, однако клиент может выбрать алгоритм опцией HostKeyAlgorithms.

ssh root@192.168.0.2 -o HostKeyAlgorithms=ssh-rsa

ssh root@192.168.0.2 -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5

Публичный ключ

Публичный ключ в known_hosts совпадает с тем, который записан в файле /etc/ssh/ssh_host_rsa_key.pub на сервере (вместо rsa подставить название используемого алгоритма). Если снять Base64 кодирование, то внутри будет ещё раз название алгоритма и собственно компоненты ключа.

Видно, что идут 4 байта, в которые записана длина поля, потом само поле и т.д. Первое поле — название алгоритма, остальные зависят от конкретного алгоритма. В приведённом выше ключе 3 поля:

known_hosts SSH?

I’m setting up a Windows-based SSH/SFTP server (for clients to download results). Never have done it before; I have it working with username/password access, but one of our clients send me a *.pub file and said we need to put it in the «known_hosts» file. I have no idea what that means, and it doesn’t show up in the SSH server documentation. I don’t want to look particularly stupid in front of a paying customer — can anyone enlighten me on this? Is that a common Linux or Unix thing for SSH servers?

I’m running an SSH SFTP application on a windows box. The .pub file is their public key. It’s what will authenticate them, if that’s how you have configured them to authenticate. You could configure users to authenticate via username/password or via public key. I use BitVise SSH Server. Not free but not expensive. Definitely worth the money.

18 Replies

This would be far, far better setup on Linux, it’s what it’s designed for.

known_hosts is a linux thing. It means literally what it says it is.

PUB files don’t go in known_hosts. They are confused about how SSH works. It goes in the authorized file, not the known file.

known_hosts is a linux thing. It means literally what it says it is.

It’s nothing to do with Linux. It’s as much a part of Windows as it is on Linux. You use it identically with PowerShell as you do with BASH, for example.

I’m setting up a Windows-based SSH/SFTP server (for clients to download results).

Why is this in the Linux group when it is for Windows? Nothing Linux related in this thread.

I don’t have my Windows box with me at the moment, I work on Linux normally, but if it follows OpenSSH convention (and it should since Windows uses OpenSSH the same as everyone else) the standard file that the .pub goes into is called authorized_keys

I assume that you are using Microsoft’s own official Win32-OpenSSH server, not some weird third party component?

known_hosts is a file on the client’s machine, not the server. That’s why you don’t see it in the documentation for the server.

I’m running an SSH SFTP application on a windows box. The .pub file is their public key. It’s what will authenticate them, if that’s how you have configured them to authenticate. You could configure users to authenticate via username/password or via public key. I use BitVise SSH Server. Not free but not expensive. Definitely worth the money.

PUB files don’t go in known_hosts. They are confused about how SSH works. It goes in the authorized file, not the known file.

known_hosts is a list of host keys, not individual user public keys.

I use BitVise SSH Server. Not free but not expensive.

Thanks to all for the quick help.

Thanks especially to configur3d, who apparently has the same setup as I do.

Thanks to all for the quick help.

Thanks especially to configur3d, who apparently has the same setup as I do.

Thanks to all for the quick help.

Thanks especially to configur3d, who apparently has the same setup as I do.

I use BitVise SSH Server. Not free but not expensive.

What makes it better than Microsoft’s officially SSH server product? Or better than running Linux? Does Bitvise offer some cool additional features?

I use BitVise SSH Server. Not free but not expensive.

What makes it better than Microsoft’s officially SSH server product? Or better than running Linux? Does Bitvise offer some cool additional features?

I couldn’t tell you if it is better than Microsoft’s product. I didn’t use theirs. BitVise is really easy to use. Very intuitive. Works with AD. I had tried a few other SSH server application and BitVise came out on top. At least for our needs it won out. I looked for Microsoft’s official SSH server product. I guess my google-fu is weak. Where can I find this. I’m curious to learn more.

Thank you Scott for the links. I’m checking things out now. I like the fact that it runs on Powershell and that it’s free. I’m always up for learning more Powershell and who can pass up free. Clearly you can use local accounts and domain accounts just as you can in BitVise. The SFTP portion doesn’t seem so finalized, however. From their wiki it states that the user’s home directory is not working properly.

Even if you want to change their home path to something else, which is something we do. Of course, I could be missing something here. Please let me know if I’m wrong regarding this. This project, however, is something I’m interested in and continue to follow it. Thanks, again.

For now I’ll stick to BitVise. It’s a very good program. Easy to use. Intuitive. Feature rich. It has a 30 day trial (fully functional) if you want to give it a go.

Windows own OpenSSH implementation is definitely very new. Even on the client side it’s not perfect. I use it to SSH into LInux boxes directly from PowerShell and they don’t have the PowerShell display working perfectly like Putty does. It’s way easier because I just use PowerShell rather than opening another app, but it’s definitely not as polished as Putty yet.

Known hosts ssh windows

Если Вы работали с сервером по ssh, то наверняка знаете о такой штуке как known hosts. Это та самая штука, которая запоминает отпечатки (fingerprint) всех серверов, которые Вы посещаете и не поволяет сливать пароли и секретные ключи, если отпечаток не совпал. Она просто Вас не пустит дальше, обьясняя это тем, что Вас пытаются обмануть.

Но когда Вы переустанавливаете ОС на сервере и не переносите настройки sshd, то всё будет аналогично. Ну ещё бы, откуда ему знать, что это Вы стали причиной изменения отпечатка.

Тогда нужно стереть запись про этот сервер на клиенте. Проще всего это сделать командой:

Но это удалит данные про все сервера, а нас это не очень то устраивает. Хотя если Вы работаете только с одним сервером, то почему бы и нет. Хотя на практике это крайне редко, даже если Вы думаете иначе.

Нужно ещё добавить, что расположение файла может быть и другим, если в конфиге ssh указано это директивой UserKnownHostsFile.

Если же Вам нужно удалить конкретный хост, то почему бы не открыть файл в текстовом редакторе и не удалить нужную строчку. Ну что, логично и так можно сделать, если у Вас на клиенте не включена опция HashKnownHosts. Если же она включена, то найти нужную строчку будет проблематично.

Но удалить запись всё-таки можно, командой:

Это удалит запись об указанном сервере и можно повторно зайти на него и подтвердить подлинность уже нового отпечатка.