Hashing known_hosts
is a good idea, as it reduces the amount of information an attacker will collect, if/when (ha!) your machine gets compromised. Usually, a line on the known_hosts
file looks like this:
less ~/.ssh/known_hosts
...
tilde.team ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1zw6+VOW8L4Rr3swbUVju3GGcknaV/fyhSJwH7NLfu
...
After running ssh-keygen -H
it will look like this:
less ~/.ssh/known_hosts
...
|1|c6NiIH06AidrkPUman0oPEx6+6Y=|rPhYjXlkLgYaNR8jwaNMy7mur4I= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsJP1XDyRhEPdtgBeXYm2hf4GKG9aLlqA1+ZPgBadbl
...
That’s it! Oh, and don’t forget to add to your ~/.ssh/config
the following, so that future entries are hashed as well:
Host *
HashKnownHosts yes