Your browser does not allow storing cookies. We recommend enabling them.


Host Key Storage Formats

When the host key is received during the first connection to a remote host (or when the host key has changed) and you choose to save the key, its file name is stored in hashed format, keys_hhh..., where hhh is a hash of the host port and name. The saved file contains a hash of the host's public key. A salt is included in the hash calculations. The value of the salt is stored in the file salt in the same directory as the host keys ($HOME/.ssh2/hostkeys on Unix, %APPDATA%\SSH\HostKeys on Windows). The hashed host key format is a security feature to make address harvesting on the hosts difficult.

In the plain (traditional) format, the name of a host key file includes the hosts's name and port, as in, and the file contains the host's public key in plaintext format.

The storage format can be controlled with the filename-format attribute of the known-hosts element of the ssh-broker-config.xml configuration file. The attribute value must be plain or hash (default).

<known-hosts path="$HOME/.ssh2/hostkeys" filename-format="plain" />

If you are adding the keys manually, the keys should be named with the key_<port>_<host>.pub pattern, where <port> is the port the Secure Shell server is running on and <host> is the host name you use when connecting to the server (for example,

If both the hashed and plaintext format keys exist, the hashed format takes precedence.

Note that the host identification is different based on the host name and port the client is connecting to. The host name can occur in four different formats:

  • Fully qualified domain name (FQDN)

  • Short host name

  • IPv4 address

  • IPv6 address

The host key for each name format has to be saved separately, as they are not mutually exchangeable.

The host key is saved under the host name format used in the login. For example, if you want to use all the host name formats when connecting to a remote host named alpha, connect to the host first with the following commands and save the host key under all four names:

  • sshg3 user@alpha

    produces the key with the short host name (in plain format

  • sshg3

    produces the key with FQDN (in plain format

  • sshg3 user@

    produces the key with IPv4 address (in plain format

  • sshg3 user@fd00:10:1:103::1:2f69

    produces the key with IPv6 address (in plain format

When connecting to a server using its IPv6 address, the IPv6 address given to Tectia Client is canonicalized without the colons, and the canonical format is used in the known host key file name. For example, the plain format host key file for ::1#10022 would be The canonical format is also used in the process of saving and reading hashed host keys.

Also if you need to connect to the same host but different port, your client needs a separate host key for that purpose; for example and

After the first connection, the locally stored information about the server public key will be used in server authentication.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more