Why do I've two entries per server in known_hosts file?

On my mac I've 1 entry per server in the ~/.ssh/known_hosts file, in Ubuntu I noticed there are two created per server. Why is that?

Format is:

|1|wwwwwwwwwwwwwww=|wwwwwwwwww= ecdsa-sha2-nistp256 AAAAAAAAAA+AAAAA=
|1|vvvvvvvvvvvvvvv=|vvvvvvvvvv= ecdsa-sha2-nistp256 AAAAAAAAAA+AAAAA=

In both entries, first section before ecdsa-sha2-nistp256 is different. After ecdsa-sha2-nistp256 it is same (pub key I imagine).

I ssh into server A, and from there I ssh into server B. I'm not manually adding entries, I see ubuntu warning and allow it to add to known_hosts file.

I blanked known_hosts file for this test.

I've a reasonable doubt that extra entry is for ipv6 address, even though I've not used it to connect. Does ubuntu add it automatically if available?


Solution 1:

You have two entries because one is by domain and the other by IP address, so your example:

|1|wwwwwwwwwwwwwww=|wwwwwwwwww= ecdsa-sha2-nistp256 AAAAAAAAAA+AAAAA=
|1|vvvvvvvvvvvvvvv=|vvvvvvvvvv= ecdsa-sha2-nistp256 AAAAAAAAAA+AAAAA=

might in effect read:

[example.com] ecdsa-sha2-nistp256 AAAAAAAAAA+AAAAA=
[192.168.6.8] ecdsa-sha2-nistp256 AAAAAAAAAA+AAAAA=

If you disable known host hashing (add HashKnownHosts no to your ~/.ssh/config file) then you can see what is happening, but on a non-hashed known_host file, both the domain and IP address can appear on the same line, so they'd look like this:

[example.com],[192.168.6.8] ecdsa-sha2-nistp256 AAAAAAAAAA+AAAAA=

There's a bit more of a discussion of the known_hosts file format here.

Solution 2:

You should have one key for each server you have connected to. Either you have connected to two servers at various times or the key on your single server was changed.

When you first connect to a ssh server you are asked if you wish to add the key to known hosts.

Looks something like this :

enter image description here

So you accepted the keys with your client at some point in time.

With each subsequent connection, when you connect to the server the keys are compared and you get a warning if they are changed.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is f2:92:1d:da:81:2a:d7:16:0a:48:f0:43:20:1c:f4:b5. Please contact your system administrator. Add correct host key in /home/bodhi/.ssh/known_hosts to get rid of this message. Offending key in /home/bodhi/.ssh/known_hosts:1

See: http://bodhizazen.com/Tutorials/SSH_overview#Security