Remote Host Identification Has Changed warning in SSH

Linode Staff

I can't SSH into my Linode and I keep getting this message. How do I fix this?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:g38Q4Xc1UI4WcClY+GaohmhZSOHbgLo6+eYBFr0Iu6U.
Please contact your system administrator.
Add correct host key in /Users/me/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/me/.ssh/known_hosts:10
RSA host key for rita.cecs.pdx.edu has changed and you have requested strict checking.
Host key verification failed.

1 Reply

When you connect to a server via SSH, it gets a fingerprint for the ECDSA key, which it then saved to your home directory under ~/.ssh/known_hosts. This is done after first connecting to the server, and will prompt you with a message like this:

$ ssh root@10.10.10.10
The authenticity of host ' (10.10.10.10)' can't be established.
ECDSA key fingerprint is SHA256:hotsxb/qVi1/ycUU2wXF6mfGH++Yk7WYZv0r+tIhg4I.
Are you sure you want to continue connecting (yes/no)? 

If you enter 'yes', then the fingerprint is saved to the known_hosts file, which SSH then consults every time you connect to that server.

The error message in an indication that your ssh key has changed since you last connected to the server. This can happen when you rebuilt your Linode or reinstall the OS. You're using the same remote computer address as before but the remote computer is responding with a different fingerprint. Therefore, it's possible that someone is spoofing the computer you previously connected to.

If you're 100% sure that the remote computer isn't compromised, hacked or being spoofed, then there are two ways to resolve this.

Manually Resolve via known_hosts

All you need to do is delete the entry in your known_hosts file for the remote computer. That will solve the issue as there will no longer be a mismatch with SHA256 fingerprint IDs when connecting.

Just edit ~/.ssh/known_hosts and delete line 15, as the message pointed you:

Offending ECDSA key in /Users/fintan/.ssh/known_hosts:15

Resolve Using ssh-keygen

Or use ssh-keygen to delete the invalid key

ssh-keygen -R "you server hostname or ip"

For example

ssh-keygen -R 10.10.10.10

This is done on your local machine if you have a mac or Linux. If you have a windows, follow this guide here.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct