ToolBelt

SSH known_hosts Parser

Parse known_hosts entries: host pattern, key type and SHA-256 fingerprint.

Open tool

Overview

The SSH known_hosts parser reads the lines from your ~/.ssh/known_hosts file (or any file in the same format) and breaks them out into host pattern, key type, and SHA-256 fingerprint. Hashed host entries — the |1|...|... form OpenSSH writes by default — are surfaced as (hashed) so you know an entry exists without exposing the host name itself.

It is the right tool for sysadmins auditing what hosts a user has connected to, for incident responders comparing fingerprints against a known-good baseline, and for engineers debugging "Host key verification failed" errors. An SSH known_hosts parser makes it easy to spot a stale entry, a duplicated host with mismatched keys, or a suspicious new host.

How it works

known_hosts is a line-oriented file specified informally by OpenSSH's sshd(8) manual. Each non-comment line has three fields:

  1. Host pattern — a plain hostname, comma-separated list, wildcard pattern, or hashed form |1|<base64-salt>|<base64-HMAC-SHA-1>. Hashed entries cannot be matched back to a hostname without that hostname being known.
  2. Key typessh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, etc.
  3. Base64 public key — the same wire format as an authorized_keys line.

The tool tokenises each line, classifies the host pattern, decodes the key blob, and computes both MD5 and SHA-256 fingerprints over the public-key bytes. Optional @cert-authority, @revoked, and marker prefixes are recognised and surfaced separately.

Examples

Input line: github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
Output:
  Host:        github.com
  Type:        Ed25519
  SHA-256:     SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU

Input line: |1|F1E1KeoE/eEWhi10WpGv4OdiO6Y=|3988QV0VE8wmZL7suNrYQLITLCg= ssh-rsa AAAAB3NzaC1yc2EAAAA...
Output:
  Host:        (hashed)
  Type:        RSA-2048
  SHA-256:     SHA256:...

Input line: @cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAA...
Output:
  Marker:      @cert-authority
  Host:        *.example.com
  Type:        RSA (CA key)

FAQ

Why are some host names hashed?

OpenSSH hashes by default (HashKnownHosts yes) to limit information disclosure: if an attacker steals your known_hosts, they cannot easily enumerate the hosts you have connected to. The hash is HMAC-SHA-1 with a per-line random salt.

Can I recover hashed hostnames?

Only by guessing. The HMAC-SHA-1 makes brute force per entry infeasible for any randomly chosen hostname, though common patterns (192.168.1.x, host01.example.com) are recoverable if you suspect them.

What is @cert-authority?

A marker that the line carries a CA public key rather than a host key. SSH host certificates signed by this CA are trusted for the listed host pattern.

Should I rotate known_hosts entries?

Only when the server's key changes. If you trust the change, remove the old entry with ssh-keygen -R hostname and let SSH re-prompt on the next connection.

Try SSH known_hosts Parser

An unhandled error has occurred. Reload ×