Blog

SSH Warning: “Remote host identification has changed”

From geekride.com

This is one of the very common warning you will get while doing ssh to a system.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
a8:6a:60:5a:48:64:ac:90:33:b9:f2:7c:be:56:92:81.
Please contact your system administrator.
Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending key in /var/root/.ssh/known_hosts:3
RSA host key for napster has changed and you have requested strict checking.
Host key verification failed.

Though this warning looks pretty much scary but the reason for this is very much simple and the solution as well.

Q. When did you get this error ?

A. The possible reasons for getting this error are:

* You have re-installed you system and trying to ssh to the newly installed system.
* You have assigned the IP address of one system to another system and trying to ssh.
* You system is dual boot with different ssh keys in both flavors of linux.
* You are using an IP for load balancing and trying to ssh to the same IP.
* You generated new ssh keys for your system. (Read this article for the re-generation of the host keys: Generate SSH host keys)
* Someone trying to do some nasty things, or you can say man-in-the-middle attack.

Q. What is the reason for the error ?

A. When you tries to login to a system through ssh, then the destination hosts provides it’s keys and asked whether these keys are trusted and then those keys are added to your trusted database(known_hosts file). Whenever you tries to login again to the same system, the received keys are checked against the keys available in your file and if both matches then the next step occurs, which is authentication. But if due to any of the above given reason, the keys doesn’t match, then you will get this error and won’t be able to login.

Solution:

There could be lots of solution for this problem, which are explained below:

Solution #1: Remove keys from known_hosts file

To remove the old keys from the known_hosts file, we can use -R option. This option will remove all the obsolete/old keys from your file. This can be used like this:

# ssh-keygen -R
# ssh-keygen -R

Output:

/home/napster/.ssh/known_hosts updated.
Original contents retained as /home/napster/.ssh/known_hosts.old

Now when you do ssh after this, it will simply add the new keys into your file.

If you want to do this manually then you can remove the hosts keys by your favorite editor (which in my case is vim)

Just get the line number from the error you are getting, which in my case is “3” which i could get from here:

Offending key in /var/root/.ssh/known_hosts:3

Now either you can open the known_hosts file in the vim editor and move to the 3rd line or either you can directly go to third line by using the command like this:

# vim +3 .ssh/known_hosts

And hit the “dd” command to delete the line. Save and close the file after that with “wq!“.

Solution #2: Delete the knows_hosts file:

If you are using your system to ssh to single machine then simply remove the known_hosts file.

# rm -f .ssh/known_hosts

After this ssh to the machine and that will create a new known_hosts file and an entry in that with the keys for the host.

Solution #3: If you are using a dual boot system with two installations of linux

If you are using a dual boot system with two installations of linux then neither of the above solutions is effective for you, because in above cases you have to change the known_hosts file every time you reboot your machine to the other flavor. To overcome this situation, you can simply copy the host keys from one of your installation into the other. This can be done with following steps:

1. Mount the file-system of other installation into the current system.
2. Copy the host keys from the /etc/ssh directory of the mounted system to the current running system.

cp {mount_location}/etc/ssh/ssh_host_* /etc/ssh/

By this method, the host keys in the both installation will get same. so, you won’t get the error when you switch from one installation to another.

If you are using an IP for load balancing then you can face the same error. To fix this error you need to copy the ssh_host_* files into all the other servers used in load balancing from one single machine.

Solution #4: Not concerned about security

If you are not at all concerned about security (like you are accessing two machine in your home lan), the you need to set the “StrictHostKeyChecking” option in the /etc/ssh/ssh_config file to “no“. This will not give you any warnings, neither it will ask you to add new keys to known_hosts file, and will do all that on it’s own.

Security Threat:

Till now we have taken fore-granted that no-one is doing some malicious activity and not trying to hack into your stuff but that could not be the case always. If someone is doing a man-in-the-middle attack then that could also be the reason for this error. So, if you are a paranoid and believe that there should be no reason for the change of the host keys for the destination host you are trying to ssh, then be careful before doing anything.

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.