Warning: Remote Host Identification Has Changed error and solution

by on September 28, 2006 · 56 comments· LAST UPDATED April 21, 2009

in , ,

When I run ssh command I get an error which read as follows:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
5c:9b:16:56:a6:cd:11:10:3a:cd:1b:a2:91:cd:e5:1c.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for ras.mydomain.com has changed and you have requested strict checking.
Host key verification failed.

How do I get rid of this message?

If you have reinstalled Linux or UNIX with OpenSSH, you will get the above error. To get rid of this problem:

Solution #1: Remove keys

Use the -R option to removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts. If your remote hostname is server.example.com, enter:
$ ssh-keygen -R {server.name.com}
$ ssh-keygen -R {ssh.server.ip.address}
$ ssh-keygen -R server.example.com

Sample output:

/home/vivek/.ssh/known_hosts updated.
Original contents retained as /home/vivek/.ssh/known_hosts.old

Now, you can connect to the host without a problem.

Solution #2: Add correct host key in /home/user/.ssh/known_hosts

It is not necessary to delete the entire known_hosts file, just the offending line in that file. For example if you have 3 server as follows.
myserver1.com,64.2.5.111 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0EnGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0E
nGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94H+uv304/ZDz6xZb9ZWsdm+264qReImZzruAKxnwTo4dcHkgKXKHeefnBKyEvvp/2ExMV9WT5DVe1viVwk=
myserver2.com,125.1.12.5 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAtDiERucsZzJGx/1kUNIOYhJbczbZHN2Z1gCnTjvO/0mO2R6KiQUP4hOdLppIUc9GNvlp1kGc3w7B9tREH6kghXFiBjrIn6VzUO4uwrnsMbnAnscD5EktgI7fG4ZcNUP 5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGxQz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/IyI4NxHhhpltYZKW/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw=
myserver3.com,125.2.1.15 ssh-rsa
5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGx0lVkphVsvYD5hJzm0eKHv+oUXRT9v+QMIL+um/IyI4NxHhhpltYZKW
as3533dka//sd33433////44632Z6MGnAazIviHBldxtGrFwvEnk82/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw==

To delete 2nd server (myserver.com), open file:
# vi +2 .ssh/known_hosts
And hit dd command to delete line. Save and close the file. Or use following
$ vi ~/.ssh/known_hosts
Now go to line # 2, type the following command
:2
Now delete line with dd and exit:
dd
:wq

Solution 3: Just delete the known_hosts file If you have only used one ssh server

$ cd
$ rm .ssh/known_hosts
$ ssh ras.mydomain.com

Now you should be able to connect your server via ssh.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 56 comments… read them below or add one }

1 Chris Kolosiwsky October 5, 2006 at 4:07 pm

It’s not necessary to delete the entire known_hosts file, just the offending line in that file.

Using your example, all you need to do is:

vi ~/.ssh/known_hosts
1G
dd
:wq

And done. This is helpful if you manage a large group of servers and have *many* keys cached. If you delete the entire file, you will br prompted to add the server’s key on each connection attempt.

Reply

2 Paul March 9, 2011 at 4:08 pm

I have an easier way to just delete the one offending key:

EXAMPLE: sed -i ‘2d’ .ssh/known_hosts

Just replace the 2 in the example above with whatever line it says contains the offending key.

Reply

3 don April 4, 2011 at 7:15 pm

Yes this was the best and easiest solution out of all.

thanks

Reply

4 nixCraft October 5, 2006 at 9:37 pm

Chris,

Good point / tip, if I have 100’s of ssh server; it will be a problem for me.

Appreciate your post.

Reply

5 Amos Shapira November 26, 2007 at 2:24 am

The right way to do this is with “ssh-keygen -R ip-address”.

–Amos

Reply

6 Paul March 11, 2011 at 4:55 pm

Cool, I’ll try that next time….Thanks Amos!

Reply

7 Ansudeen January 29, 2014 at 6:07 am

Thanks Amos its working fine:)

Reply

8 Patrick June 3, 2014 at 5:44 pm

Thank you! It worked :)

– Patrick

Reply

9 Log January 23, 2008 at 1:06 pm

Theres actually a script that does this at
http://blog.hacker.dk/2008/01/script-to-fix-ssh-host-identification-changed/

Aparently it doesnt use the sshkeygen, but it does the work nicely and easy:
script

Reply

10 andy February 17, 2008 at 10:44 pm

thanks Amos for the correct way to update rsa host keys.

Reply

11 deepen March 3, 2008 at 5:38 am

Thanks for nice solution.

The above mentioned problem I face when remote computer completely formated and they give us again ssh connection. And because of RSA digital signature of computer identification the local computer does not accept the remote computer (as I think).

Once again thanks for solution.

Regards,
Deepen

Reply

12 S. Cornall June 20, 2008 at 3:14 pm

Thanks, your solution worked for my SSH login. Currently still can’t log in properly through my ltsp server. It says it is checking the password and then ends the session. I definitely have a link to the server (i.e. and address) Any ideas about this? Thank-you in advance.

Reply

13 eri winandar December 28, 2008 at 3:18 pm

It works fo me :)
vi ~/.ssh/known_hosts
dd
:wq

Reply

14 Soundar March 22, 2011 at 6:04 am

dd worked for me too, tks.

Reply

15 uttam January 15, 2009 at 2:29 pm

Thanks for the solution

Reply

16 anonymous February 8, 2009 at 12:47 pm

Hi,
I’m getting the same error. I compared the RSA keys in my known_hosts file with the host key of the remote computer….they are the same. I thought I’d find out if it is a genuine MITM attack or not, so I shut down the SSH server on the remote machine and accepted the newly presented key. Connection to the remote machine now yields a “Permission denied” message, since I use public-private key authentication.

Does this mean that I am, in fact, being subjected to a MITM attack?

Thanks.

Reply

17 anonymous February 10, 2009 at 3:49 pm

Above mentioned problem was solved. I restarted the remote machine, and everything started working properly..

Weird….

Reply

18 chaiklang9 February 26, 2009 at 3:43 pm

Thanks. Good job.

Reply

19 carlos March 4, 2009 at 6:58 pm

Thanks….it’s works for my.greetings from argentine!!! bye

Reply

20 Tguntara March 31, 2009 at 11:37 am

I had same problem.,, i tried to used Amos Sapira suggest.
#ssh-keygen -R ip_that_have_problem

and.. IT WORKS..
thanx a lot guys…
Regard … TGUNTARA

Reply

21 error3 May 17, 2009 at 11:17 pm

just for help :
the port of a ssh wasn’t 22.
I need to ssh-keygen -R [ip]:port
(keep the ‘[‘)

Reply

22 niko June 15, 2009 at 10:21 am

in my case I had another problem:
I had set the options
UserKnownHostsFile=no
StrictHostKeyChecking=no
in my config and this prevented the new host to be added to known_hosts. I got the error every time I tried to contact the host and never got a prompt to add it to known hosts.

Reply

23 Andrew Abogado July 25, 2009 at 1:31 pm

Big help especially solution number 3. :)
Finally get rid of that error message. Made me really paranoid of the “eavesdropping” thing.

Thanks a lot for the tip.

Reply

24 lucky August 24, 2009 at 11:40 am

hi, thansk a lot.. solution 3 worked :)

Reply

25 wid get October 7, 2009 at 4:32 am

got one better for you.

ssh -1 host fails, asking for password, even though pub key is correct on remote host.
subsequent ssh -1 host fails with man-in-the-middle warning. this is an endless cycle.

ssh -2 host works fine from the command line. from the veritas netbackup NBU_include.pl script, that same command fails on auth error.

;-)

Reply

26 Gustavo Serrano February 19, 2010 at 12:10 am

Thanks, very helpful

Reply

27 Anonymous May 7, 2010 at 4:09 am

thanks

Reply

28 hoosfoos June 6, 2010 at 1:32 pm

thanks for the solution to this! I used:
vi ~/.ssh/known_hosts
dd
:wq

Reply

29 midou June 8, 2010 at 8:46 pm

thanks for solutions

Reply

30 Unknown November 13, 2010 at 9:06 am

Thank you for the post, this helped me get back into my ipod 2 gen after I messed up badly by accidentally removing the folder labeled System. You’re awesome!

Reply

31 fs November 21, 2010 at 5:58 am

Thanks. I never knew about ssh-keygen -r {IP-Address}

Reply

32 K-2 February 26, 2011 at 1:29 pm

Thanks for the solo, quick & painless! Appreciate it!

Reply

33 gameculb2002 March 11, 2011 at 3:15 am

it’s work for me, tks!

Reply

34 santosh lohar March 15, 2011 at 6:58 pm

Hi guys,

thanks fo rthe solution I have also one query when I am doing vncviewer 10.1.1.1:3 (example) then I am getting the message “vncviewer : unable to open dislpay ‘0.0’ “.
what may be the problem . I checked with echo $DISPLAY >>> it is 0.0.

Reply

35 Mohamed May 5, 2011 at 8:02 am

This article was helpful. Thanks

Reply

36 Samuel May 13, 2011 at 10:22 am

Thanks Men, this has worked for me

Reply

37 Roopesh June 9, 2011 at 10:44 am

Thanks a lot for the solution , It has worked for me .

Reply

38 Kurt November 2, 2011 at 3:29 pm

Thanks very much!! That fixed my ssh problem.

Reply

39 Scott November 9, 2011 at 4:11 am

Thanks for the solution. Option 1 worked like a charm.

Reply

40 Pratap Kumar December 3, 2011 at 11:28 am

Amazing, it resolved…

Used this method…
$ ssh-keygen -R server.example.com

Reply

41 mag April 24, 2012 at 10:25 pm

gracias

Reply

42 Pratik Khadloya April 25, 2012 at 7:37 pm

Hi Vivek, these articles have been very helpful to me. Thank you very much !
Your website rocks!

Reply

43 Jos August 17, 2012 at 7:50 pm

Thanks; solution 1 saved my day !

Reply

44 Jeev August 22, 2012 at 1:57 pm

thanks solution #1 saved me.

Reply

45 Jannis August 30, 2012 at 7:50 am

So – I can’t really tell you if any of these solutions work. There’s another Problem in my warning message:

It says:
“Add correct host key in /Users/jannis/.ssh/known_hosts to get rid of this message.”

Buuut – there is no directory called “/Users/jannis/….” – so I can’t really find this file.
By the way: the file isn’t in my home directory either.

Please tell me anybody has a solution for this D:

Reply

46 Sundaram September 30, 2012 at 12:17 am

Thanks for providing multiple solutions to the same problem :)

Reply

47 Abdul January 8, 2013 at 4:29 pm

Thanx very helpful info.It help me thanx again..:)

Reply

48 James Giroux January 11, 2013 at 4:04 am

Hey There.

I encountered this same issue with a reinstalled ubuntu server. None of the three solutions above worked for me but I found a solution that did. The problem was that there was no known_hosts file at all. So, using an ftp client I created the .ssh folder in my user director and then added a file called known_hosts. BEFORE editing the file I tried to ssh in to my server and presto, it worked. Hopefully this helps someone else out.

Reply

49 dr memails January 20, 2013 at 9:40 pm

I was booting the same hardware with different media, so completely different OSs and needed BOTH ssh keys to work. The solution
ssh-keyscan -t rsa ip_address >> ~/.ssh/known_hosts

Reply

50 Olly February 14, 2013 at 10:54 am

Thank you – I’m very new to networking at this level, this advice was priceless.

Page bookmarked.

O

Reply

51 Nunavailabul March 7, 2013 at 8:08 am

So I have been hunting for an answer to “how do you determine if the key has actually changed, or you are subject to MITM?”

I haven’t changed the remote server’s keys, and I have confirmed that the fingerprint matches, so I am now stuck – what should I do?

Reply

52 bixo April 7, 2013 at 11:37 pm

the 3° solution was correct for me ;)
thanks.

Reply

53 Mheshwar Naidu June 24, 2013 at 2:54 pm

Thank you friend for your support.

Reply

54 Afroj Ahmad August 17, 2013 at 5:06 am

Thanks …..nice solution…i would like to thanks nixCraft team ….. i m always found the correct explanations and solutions from here ………thanks a lot…..keep it up…

Reply

55 jaga April 24, 2014 at 12:11 pm

try this below command and its working for me.
ssh-keygen -R

Reply

56 Andy F. November 20, 2014 at 6:42 pm

Since I do a lot of internal testing and re-imaging of servers where I SSH to these servers quite a bit I’d rather not delete the offending key in known hosts, delete the all the files I run this:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous Faq:

Next Faq: