"Remote host identification has changed" warning when connecting over SSH
Did you recently reinstall the OS on your server or anything like that? That would cause this.
To fix this: http://www.cyberciti.biz/faq/warning-remote-host-identification-has-changed-error-and-solution/
Solution #1: Remove keys using ssh-keygen
Use the -R
option to removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts. If your remote hostname is server.example.com, enter:
$ ssh-keygen -R {server.name.com}
$ ssh-keygen -R {ssh.server.ip.address}
$ ssh-keygen -R {ssh.server.ip.address} -f {/path/to/known_hosts}
$ ssh-keygen -R server.example.com
Now, you can connect to the host without a problem.
Solution #2: Add correct host key in /home/user/.ssh/known_hosts
It is not necessary to delete the entire known_hosts file, just the offending line in that file. For example if you have 3 server as follows.
myserver1.com,64.2.5.111 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0EnGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0E
nGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94H+uv304/ZDz6xZb9ZWsdm+264qReImZzruAKxnwTo4dcHkgKXKHeefnBKyEvvp/2ExMV9WT5DVe1viVw
k=
myserver2.com,125.1.12.5 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAtDiERucsZzJGx/1kUNIOYhJbczbZHN2Z1gCnTjvO/0mO2R6KiQUP4hOdLppIUc9GNvlp1kGc3w7B9tREH6kghXFiBjrIn6VzUO4uwrnsMbnAnscD5EktgI7fG4ZcNUP 5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGxQz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/IyI4NxHhhpltYZKW/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBf
w=
myserver3.com,125.2.1.15 ssh-rsa
5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGx0lVkphVsvYD5hJzm0eKHv+oUXRT9v+QMIL+um/IyI4NxHhhpltYZKW
as3533dka//sd33433////44632Z6MGnAazIviHBldxtGrFwvEnk82/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw==
To delete 2nd server (myserver.com), open file:
# vi +2 .ssh/known_hosts
And hit dd command to delete line. Save and close the file. Or use following
$ vi ~/.ssh/known_hosts
Now go to line # 2, type the following command
:2
Now delete line with dd and exit:
dd
:wq
Or you can use the sed command as follows to delete offending key at line # 44:
$ sed -i 44d ~/.ssh/known_hosts
Solution 3: Just delete the known_hosts file If you have only one ssh server
$ cd
$ rm .ssh/known_hosts
$ ssh ras.mydomain.com
Try connecting with ssh again
Now you should be able to connect your server via ssh:
ssh username@server-ip-here
ssh [email protected]
Next, you will get a fresh prompt to add key to ~/.ssh/known_hosts
as follows:
The authenticity of host '10.86.115.66 ()' can't be established.
ECDSA key fingerprint is 4e:10:42:39:53:85:7f:89:89:dc:89:84:8d:79:e7:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.86.115.66' (ECDSA) to the list of known hosts.
From what I can tell, all these answers are about suppressing the warning, instead of dealing with it. In short, the warning is telling you that the server doesn't look like it used to look; see https://en.wikipedia.org/wiki/Man_in_the_middle_attack for why this may be a danger.
Read man ssh
, especially this section:
VERIFYING HOST KEYS
When connecting to a server for the first time, a fingerprint of the server's public key is presented to the user (unless the option StrictHostKeyChecking has been disabled). Fingerprints can be determined using ssh-keygen(1):
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
To be on the safe side, you (or someone you trust) should have run this command first on the server you are connecting to. It will give you a fingerprint looking sort of like the one given in the warning in the question. Of course, often you don't have this info, but if you have reason to suspect something is up, running that command is the way to check if the server signature has really changed, or if there may be something suspicious going on.
I faced the same problem, and if you do not wish to delete the entireknown_hosts
file, you can execute the following command:
ssh-keygen -R 10.10.10.69
There is no problem with deleting the known_hosts. You will only have to add each server you connect to, to the list each time you connect to them. Might screw up your scripts too, because the hosts are not yet trusted. The alert occurs when the signature of the host (the computer you are trying to connect to generated new keys, usually because of a re-install, or key rotation.)