When your SSH connections start behaving strangely, you might see errors like:
$ ssh user@server.example.com
/home/user/.ssh/known_hosts: line 15: invalid formatOr:
$ ssh user@server.example.com
No RSA host key is known for server.example.com and you have requested strict checking.Or SSH might simply hang or crash during host key verification. These issues often stem from a corrupted known_hosts file.
Understand Known Hosts File Format
The known_hosts file stores fingerprints of servers you've connected to. Each line follows a format:
server.example.com,192.168.1.100 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...Or with hashed hostnames:
|1|abc123...|def456...| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...Corruption can occur from: - Disk errors - Partial writes during crashes - Manual editing mistakes - Encoding issues - Concurrent access problems
Check Known Hosts File
View the file:
cat ~/.ssh/known_hostsCheck for obvious issues: - Empty lines in wrong places - Truncated lines - Binary/garbage characters - Missing key types - Duplicate entries
Check the file size:
ls -la ~/.ssh/known_hostsIf it's unusually large or zero bytes, it might be corrupted.
Validate Each Line
Check line count:
wc -l ~/.ssh/known_hostsLook for malformed lines:
awk '{if(NF<3) print NR": "$0}' ~/.ssh/known_hostsLines with fewer than 3 fields are malformed.
Check for invalid key types:
awk '{print $2}' ~/.ssh/known_hosts | sort | uniq -cShould show recognized types like:
10 ssh-rsa
5 ssh-ed25519
3 ecdsa-sha2-nistp256Unknown types indicate corruption.
Fix Specific Malformed Lines
If you know the problematic line number:
sed -n '15p' ~/.ssh/known_hostsRemove it:
sed -i '15d' ~/.ssh/known_hostsOr fix manually if you know the correct format.
Remove Duplicate Entries
Find duplicates:
sort ~/.ssh/known_hosts | uniq -dRemove duplicates:
sort -u ~/.ssh/known_hosts -o ~/.ssh/known_hostsThis sorts and deduplicates the file.
Backup and Recreate
If the file is severely corrupted, back it up and start fresh:
cp ~/.ssh/known_hosts ~/.ssh/known_hosts.corrupted
rm ~/.ssh/known_hostsNow reconnect to servers to rebuild the file:
ssh user@server.example.comYou'll be prompted to accept new keys:
The authenticity of host 'server.example.com' can't be established.
ED25519 key fingerprint is SHA256:abc123...
Are you sure you want to continue connecting (yes/no/[fingerprint])?Recover Known Hosts from Backup
If you have a backup:
ls -la ~/.ssh/known_hosts.oldRestore it:
cp ~/.ssh/known_hosts.old ~/.ssh/known_hostsFix Hashed Known Hosts
If your known_hosts uses hashed hostnames:
head -1 ~/.ssh/known_hostsShould start with |1|:
|1|NcX9...|kYF2... ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...If hashed lines are malformed, you can't easily identify which host they belong to. Remove them and reconnect.
To decode hashed entries (if you know the hostname):
ssh-keygen -H -F server.example.com -f ~/.ssh/known_hostsThis shows matching entries.
Remove Entries for Specific Host
Clean removal using ssh-keygen:
ssh-keygen -R server.example.comThis properly removes entries, including hashed ones.
For IP address:
ssh-keygen -R 192.168.1.100Fix Permission Issues
Known_hosts file must have correct permissions:
ls -la ~/.ssh/known_hostsShould show:
-rw------- 1 user user 1234 Apr 3 10:00 ~/.ssh/known_hostsFix if wrong:
chmod 600 ~/.ssh/known_hostsAlso check the directory:
chmod 700 ~/.sshHandle Encoding Issues
If the file has non-UTF8 characters:
file ~/.ssh/known_hostsShould show:
~/.ssh/known_hosts: ASCII textIf it shows binary or other encoding, convert:
iconv -f ISO-8859-1 -t UTF-8 ~/.ssh/known_hosts.corrupted > ~/.ssh/known_hostsOr recreate from scratch.
Test Known Hosts After Repair
Verify SSH works:
ssh -v user@server.example.com 2>&1 | grep "known_hosts"Should show:
debug1: checking match for 'server.example.com' file ~/.ssh/known_hosts line 10
debug1: Found key in ~/.ssh/known_hosts:10Prevent Future Corruption
Enable hashing for security and to prevent manual editing errors:
ssh-keygen -HThis hashes all hostnames in the file.
Use HashKnownHosts in your config:
echo "HashKnownHosts yes" >> ~/.ssh/configUse Separate Known Hosts Files
Maintain separate files for different environments:
ssh -o UserKnownHostsFile=~/.ssh/known_hosts_work user@work-serverIn ~/.ssh/config:
``` Host work-* UserKnownHostsFile ~/.ssh/known_hosts_work
Host personal-* UserKnownHostsFile ~/.ssh/known_hosts_personal ```
This limits corruption impact.
Check System-Wide Known Hosts
Sometimes the system-wide file is corrupted:
cat /etc/ssh/ssh_known_hostsIf corrupted, contact your system administrator or fix:
sudo ssh-keygen -R server.example.com -f /etc/ssh/ssh_known_hostsVerify Known Hosts After Removal
After removing an entry and reconnecting:
ssh-keygen -l -F server.example.com -f ~/.ssh/known_hostsShould show the fingerprint:
# Host server.example.com found: line 1
256 SHA256:abc123... server.example.com (ED25519)Resolution Checklist
- 1.Check file for obvious corruption:
cat ~/.ssh/known_hosts - 2.Find malformed lines:
awk '{if(NF<3) print NR": "$0}' - 3.Remove specific lines:
sed -i 'Nd' - 4.Remove duplicates:
sort -u - 5.Backup and recreate if severely corrupted
- 6.Use
ssh-keygen -R hostnamefor clean removal - 7.Fix permissions:
chmod 600 - 8.Enable
HashKnownHosts yesfor future entries
Known hosts file corruption is usually simple to fix. Remove malformed entries or recreate the file if damage is extensive. Always verify keys when reconnecting to ensure security.