Updating SSH known hosts fingerprints (WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!)

If you’ve previously connected to an ssh server on a machine and reformatted or fundamentally changed the OS in some way, the RSA host key will have changed, causing ssh to throw up an ugly error as exhibited here:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
8b:ff:a1:b5:32:06:4d:fd:2e:2f:67:80:9e:ba:8d:ff.
Please contact your system administrator.
Add correct host key in /home/taylorg/.ssh/known_hosts to get rid of this message.
Offending key in /home/taylorg/.ssh/known_hosts:2
RSA host key for 192.168.1.100 has changed and you have requested strict checking.
Host key verification failed.

All the message says is that the fingerprint for the host that was previously stored no longer matches the target. If you know this is okay and want to clear out the error, the process is very simple – just remove the stored fingerprint.

You have a couple of options how to do this depending on your situation:
The first, preferable method would be to use ssh-keygen with the following syntax:

ssh-keygen -R hostname

Assuming all goes well, you should receive a message similar to this:

/home/taylorg/.ssh/known_hosts updated.

Alternatively, if ssh-keygen is not available for some reason, you can manually update the known_hosts file:

  1. Open up the known hosts file:
    nano ~/.ssh/known_hosts
  2. Delete the line containing the hostname of the server you’re trying to connect to (Ctrl+K). The name should be the left-most item on each line, or use Ctrl+W to search.
  3. Ctrl+O to save the file, then Ctrl+X to exit nano.

Try to ssh again (ssh username@hostname) and you should receive a message akin to the following:

The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
RSA key fingerprint is 8b:ff:a1:b5:32:06:4d:fd:2e:2f:67:80:9e:ba:8d:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.100' (RSA) to the list of known hosts.

As the last message indicates, the ssh client will store the current fingerprint back into known_hosts, bypassing the warning for future connections.

Advertisements

About zephyr9000

Happy sailer
This entry was posted in ssh and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s