Check the fingerprint for the ECDSA key sent by the remote host

Solution 1:

A public key fingerprint isn't the simple hash of an IP address string.

To retrieve a remote host public key you can use ssh-keyscan <IP address>, and then you can use the usual tools to extract its fingerprint (ssh-keygen -lf <public_key_file>).

Finally you can compare the current fingerprint in your known_hosts file with ssh-keygen -l -F <domain_or_IP_address>.

Solution 2:

A bit more in detail: Because the warning message refers to the fingerprint for the ECDSA key sent by the remote host, we gather the info about the public (ECDSA) key of the host:

ssh-keyscan -t ecdsa <IP_address_or_hostname> ECDSA_file_to_compare

Then we can find out where in our known_hosts file that the public (ECDSA) key is:

ssh-keygen -l -F ipofhost

If we want to compare the fingerprints we have to put in the contents of our known_hosts file (just the entry related to this host). We can call it ecdsa_file_from_known_hosts and then compare them as follows:

ssh-keygen -lf ecdsa_file_to_compare
ssh-keygen -lf ecdsa_file_from_known_hosts

And check if they show the same hash.

Of course they don't match, and that is why I got the warning message (ssh checks this matching internally). If we are sure about the IP address change (so we are not suffering a man-in-the-middle attack) we can just delete the entry of that host in our known_hosts file and the next time we ssh into it, a new fresh entry for it will be added to such a file.