1 files changed, 68 insertions, 0 deletions

diff --git a/ssh/knownhosts/db.go b/ssh/knownhosts/db.go
new file mode 100644
index 0000000..9d81617
--- /dev/null
+++ b/ssh/knownhosts/db.go
@@ -0,0 +1,68 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package knownhosts
+
+import (
+	"fmt"
+	"net"
+	"os"
+
+	"golang.org/x/crypto/ssh"
+)
+
+type DB interface {
+	// HostKeyAlgorithms takes an address and returns a list of matching key types.
+	HostKeyAlgorithms(address string) ([]string, error)
+
+	// HostKeyCallback is knownhosts.New without the DB initialization.
+	HostKeyCallback() ssh.HostKeyCallback
+}
+
+// NewDB creates a new known_hosts database from the files given and returns
+// it.
+func NewDB(files ...string) (DB, error) {
+	logp := `NewDB`
+	db := newHostKeyDB()
+	for _, fn := range files {
+		f, err := os.Open(fn)
+		if err != nil {
+			return nil, fmt.Errorf(`%s: %w`, logp, err)
+		}
+		defer f.Close()
+		err = db.Read(f, fn)
+		if err != nil {
+			return nil, fmt.Errorf(`%s: %w`, logp, err)
+		}
+	}
+	return db, nil
+}
+
+// HostKeyAlgorithms returns a list of host key algorithms associated
+// with the given address.
+func (db *hostKeyDB) HostKeyAlgorithms(address string) (knownTypes []string, err error) {
+	logp := `HostKeyAlgorithms`
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, fmt.Errorf(`%s: %w`, logp, err)
+	}
+
+	hostToCheck := addr{host, port}
+	for _, l := range db.lines {
+		if l.match(hostToCheck) {
+			knownTypes = append(knownTypes, l.knownKey.Key.Type())
+		}
+	}
+	return knownTypes, nil
+}
+
+// HostKeyCallback is the way to get the ssh.HostKeyCallback if you have used
+// NewDB.
+func (db *hostKeyDB) HostKeyCallback() ssh.HostKeyCallback {
+	var certChecker ssh.CertChecker
+	certChecker.IsHostAuthority = db.IsHostAuthority
+	certChecker.IsRevoked = db.IsRevoked
+	certChecker.HostKeyFallback = db.check
+	return certChecker.CheckHostKey
+}