I want to add an entry to my /etc/ssh/ssh_known_hosts file without running ssh-keyscan. I tried adding the public key but ssh complains, that the fingerprint does not match.

From the sshd man page:


 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
 public keys for all known hosts.  The global file should be prepared by
 the administrator (optional), and the per-user file is maintained auto-
 matically: whenever the user connects to an unknown host, its key is
 added to the per-user file.

So my take from that would be, that one can add the public key data. However, it doesn't seem to work for me.

My ssh_known_hosts looks like this: (the key part matching the content of my public key file) ssh-rsa AAAAB3Nza......zktpC1w==

running ssh-keyscan gives: ecdsa-sha2-nistp256 AAAAE2V...2L0= ssh-rsa AAAAB3Nza...38Ll ssh-ed25519 AAAAC3Nza...m2Sc

So I can see, that the key shown for ssh-rsa ends differently from the content in my public key file.

How can I add the correct data to ssh_known_hosts file without ssh-keyscan?

(My environment: I use puttygen to create the keys, ssh-keygen etc. in a cygwin environment to convert as needed. Eventually the keys are used in Alpine linux VMs to ssh / scp between the VMs.)

  • You mean you created a user private/public key pair? This is different from the SSH host keys. If you want to authenticate a specific user, the user's public key has to go into `~/.ssh/authorized_keys on the target computer.
    – Thomas
    Dec 30, 2018 at 12:29
  • Which key is correct? Dec 30, 2018 at 18:26
  • Thanks for the comments - they brought me on the right track. There were a couple of copy and paste errors in my Vagrantfile and the puppet manifests. Fixing those made things work well. Jan 1, 2019 at 19:10

1 Answer 1


Well, you could possibly collect the public keys corresponding to the host keys using e.g. the shell module of Ansible (this should also be idempotent btw.):

for i in /etc/ssh/*.pub
    printf "$(hostname) "
    awk '{print $1, $2}' ${i}

This will output something like:

<host> ecdsa-sha2-nistp256 AAAAE....vstxo4xdk3rms=
<host> ssh-ed25519 AAAAC....Wg3XxwzL
<host> ssh-rsa AAAAB3Nza....83u3X

I am relying on the fact, that the public keys have 3 space separated fields usually of which the third is a comment that you don't need. Usually it is root@<hostname> so you could also do something like:

for i in /etc/ssh/*.pub
    awk '{print gensub(".*@", "", 1, $3), $1, $2}' ${i}

With that, you should be able to collate your ssh_known_hosts. Using Ansible or a similar tool, you could even gather the IP and FQDN on the corresponding host and extend the ssh_known_hosts using also IPs (for the case you want to connect and DNS doesn't work or just for completeness) or alternative (DNS) names.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .