diff --git a/docs/configuration/outbound/ssh.md b/docs/configuration/outbound/ssh.md
index 290cea28..1384f8dd 100644
--- a/docs/configuration/outbound/ssh.md
+++ b/docs/configuration/outbound/ssh.md
@@ -12,9 +12,11 @@
   "private_key": "",
   "private_key_path": "$HOME/.ssh/id_rsa",
   "private_key_passphrase": "",
+  "host_key": [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
+  ],
   "host_key_algorithms": [],
   "client_version": "SSH-2.0-OpenSSH_7.4p1",
-  "host_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH...",
 
   ... // Dial Fields
 }
@@ -52,6 +54,10 @@ Private key path.
 
 Private key passphrase.
 
+#### host_key
+
+Host key. Accept any if empty.
+
 #### host_key_algorithms
 
 Host key algorithms.
@@ -60,10 +66,6 @@ Host key algorithms.
 
 Client version. Random version will be used if empty.
 
-#### host_key
-
-Remote SSH host key. Accept any host key if empty.
-
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial) for details.
diff --git a/docs/configuration/outbound/ssh.zh.md b/docs/configuration/outbound/ssh.zh.md
index ca272002..e538e64a 100644
--- a/docs/configuration/outbound/ssh.zh.md
+++ b/docs/configuration/outbound/ssh.zh.md
@@ -12,9 +12,11 @@
   "private_key": "",
   "private_key_path": "$HOME/.ssh/id_rsa",
   "private_key_passphrase": "",
+  "host_key": [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
+  ],
   "host_key_algorithms": [],
   "client_version": "SSH-2.0-OpenSSH_7.4p1",
-  "host_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH...",
 
   ... // 拨号字段
 }
@@ -52,6 +54,10 @@ SSH 用户, 默认使用 root。
 
 密钥密码。
 
+#### host_key
+
+主机密钥，留空接受所有。
+
 #### host_key_algorithms
 
 主机密钥算法。
@@ -60,10 +66,6 @@ SSH 用户, 默认使用 root。
 
 客户端版本，默认使用随机值。
 
-#### host_key
-
-指定主机密钥，留空接受所有主机密钥.
-
 ### 拨号字段
 
 参阅 [拨号字段](/zh/configuration/shared/dial/)。
diff --git a/option/ssh.go b/option/ssh.go
index c4b0fd7c..1f25caf8 100644
--- a/option/ssh.go
+++ b/option/ssh.go
@@ -8,7 +8,7 @@ type SSHOutboundOptions struct {
 	PrivateKey           string           `json:"private_key,omitempty"`
 	PrivateKeyPath       string           `json:"private_key_path,omitempty"`
 	PrivateKeyPassphrase string           `json:"private_key_passphrase,omitempty"`
+	HostKey              Listable[string] `json:"host_key,omitempty"`
 	HostKeyAlgorithms    Listable[string] `json:"host_key_algorithms,omitempty"`
 	ClientVersion        string           `json:"client_version,omitempty"`
-	HostKey              string           `json:"host_key,omitempty"` 
 }
diff --git a/outbound/ssh.go b/outbound/ssh.go
index 401f3a59..ad1ca2e3 100644
--- a/outbound/ssh.go
+++ b/outbound/ssh.go
@@ -1,10 +1,10 @@
 package outbound
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"math/rand"
-	"errors"
 	"net"
 	"os"
 	"strconv"
@@ -34,13 +34,13 @@ type SSH struct {
 	dialer            N.Dialer
 	serverAddr        M.Socksaddr
 	user              string
+	hostKey           []ssh.PublicKey
 	hostKeyAlgorithms []string
 	clientVersion     string
 	authMethod        []ssh.AuthMethod
 	clientAccess      sync.Mutex
 	clientConn        net.Conn
 	client            *ssh.Client
-	hostKey           string
 }
 
 func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.SSHOutboundOptions) (*SSH, error) {
@@ -58,7 +58,6 @@ func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		user:              options.User,
 		hostKeyAlgorithms: options.HostKeyAlgorithms,
 		clientVersion:     options.ClientVersion,
-		hostKey:           options.HostKey,
 	}
 	if outbound.serverAddr.Port == 0 {
 		outbound.serverAddr.Port = 22
@@ -95,6 +94,15 @@ func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		}
 		outbound.authMethod = append(outbound.authMethod, ssh.PublicKeys(signer))
 	}
+	if len(options.HostKey) > 0 {
+		for _, hostKey := range options.HostKey {
+			key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostKey))
+			if err != nil {
+				return nil, E.New("parse host key ", key)
+			}
+			outbound.hostKey = append(outbound.hostKey, key)
+		}
+	}
 	return outbound, nil
 }
 
@@ -108,11 +116,6 @@ func randomVersion() string {
 	return version
 }
 
-func keyString(k ssh.PublicKey) string {
-	// e.g. "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY...."
-    return k.Type() + " " + base64.StdEncoding.EncodeToString(k.Marshal())
-}
-
 func (s *SSH) connect() (*ssh.Client, error) {
 	if s.client != nil {
 		return s.client, nil
@@ -135,10 +138,16 @@ func (s *SSH) connect() (*ssh.Client, error) {
 		ClientVersion:     s.clientVersion,
 		HostKeyAlgorithms: s.hostKeyAlgorithms,
 		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
-			if s.hostKey != "" && s.hostKey != keyString(key) {
-				return errors.New("SSH Host key mismatch, expected: " + keyString(key) + " got: " + s.hostKey)
+			if len(s.hostKey) == 0 {
+				return nil
 			}
-			return nil
+			serverKey := key.Marshal()
+			for _, hostKey := range s.hostKey {
+				if bytes.Equal(serverKey, hostKey.Marshal()) {
+					return nil
+				}
+			}
+			return E.New("host key mismatch, server send ", key.Type(), " ", base64.StdEncoding.EncodeToString(serverKey))
 		},
 	}
 	clientConn, chans, reqs, err := ssh.NewClientConn(conn, s.serverAddr.Addr.String(), config)