I can't seem to reproduce the same style entry, but below is snippets that should show what is wrong. Basically the gist is that example.com is in known hosts, and is a hop point for a proxycommand for foo.example.com which has a explicit hostname of an ip address. I tried to recreate it, but my current version of ssh automatically puts the hashed host entry, not the ip,<no hostip...> entry. They probably came from an earlier version of ssh. $ ssh-keygen -f "/home/hdavenport/.ssh/known_hosts" -R example.com # Host example.com found: line 1 type RSA line 2 invalid key: 192.168.x.x,<no... /home/hdavenport/.ssh/known_hosts is not a valid known_hosts file. Not replacing existing known_hosts file because of errors $ cat /home/hdavenport/.ssh/known_hosts |1|hosthash ssh-rsa keyhash 192.168.x.x,<no hostip for proxy command> ssh-rsa keyhash $ cat /home/hdavenport/.ssh/config host foo.example.com proxycommand ssh -q example.com nc -q0 %h %p hostname 192.168.x.x
The invalid known_hosts entries are created by older versions of the Ruby library net-ssh: https://rubygems.org/gems/net-ssh The bug is fixed in version 2.9.2 of net-ssh.
This is working as intended: if the known_hosts file is messed up then ssh-keygen -R bails out instead of blundering ahead and destroying it further. We've fixed the bug in ssh that put the "<no hostip for proxy command>" entries in known_hosts to begin with a while back IIRC.
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1