Warning: Remote Host Identification Has Changed error and solution

by Vivek Gite · 19 comments

When I run ssh command I get an error which read as follows:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
5c:9b:16:56:a6:cd:11:10:3a:cd:1b:a2:91:cd:e5:1c.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for ras.mydomain.com has changed and you have requested strict checking.
Host key verification failed.

How do I get rid of this message?

If you have reinstalled Linux or UNIX with OpenSSH, you will get the above error. To get rid of this problem:

Solution #1: Remove keys

Use the -R option to removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts. If your remote hostname is server.example.com, enter:
$ ssh-keygen -R {server.name.com} $ ssh-keygen -R {ssh.server.ip.address} $ ssh-keygen -R server.example.com
Sample output:

/home/vivek/.ssh/known_hosts updated.
Original contents retained as /home/vivek/.ssh/known_hosts.old

Now, you can connect to the host without a problem.

Solution #2: Add correct host key in /home/user/.ssh/known_hosts

It is not necessary to delete the entire known_hosts file, just the offending line in that file. For example if you have 3 server as follows.
myserver1.com,64.2.5.111 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0EnGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0E nGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94H+uv304/ZDz6xZb9ZWsdm+264qReImZzruAKxnwTo4dcHkgKXKHeefnBKyEvvp/2ExMV9WT5DVe1viVwk= myserver2.com,125.1.12.5 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtDiERucsZzJGx/1kUNIOYhJbczbZHN2Z1gCnTjvO/0mO2R6KiQUP4hOdLppIUc9GNvlp1kGc3w7B9tREH6kghXFiBjrIn6VzUO4uwrnsMbnAnscD5EktgI7fG4ZcNUP 5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGxQz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/IyI4NxHhhpltYZKW/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw= myserver3.com,125.2.1.15 ssh-rsa 5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGx0lVkphVsvYD5hJzm0eKHv+oUXRT9v+QMIL+um/IyI4NxHhhpltYZKW as3533dka//sd33433////44632Z6MGnAazIviHBldxtGrFwvEnk82/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw==

To delete 2nd server (myserver.com), open file:
# vi +2 .ssh/known_hosts
And hit dd command to delete line. Save and close the file. Or use following
$ vi ~/.ssh/known_hosts
Now go to line # 2, type the following command
:2
Now delete line with dd and exit:
dd :wq

Solution 3: Just delete the known_hosts file If you have only used one ssh server

$ cd $ rm .ssh/known_hosts $ ssh ras.mydomain.com

Now you should be able to connect your server via ssh.

Featured Articles:

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 19 comments… read them below or add one }

1 Chris Kolosiwsky 10.05.06 at 4:07 pm: It’s not necessary to delete the entire known_hosts file, just the offending line in that file.

Using your example, all you need to do is:

vi ~/.ssh/known_hosts
1G
dd
:wq

And done. This is helpful if you manage a large group of servers and have *many* keys cached. If you delete the entire file, you will br prompted to add the server’s key on each connection attempt.
2 nixcraft 10.05.06 at 9:37 pm: Chris,

Good point / tip, if I have 100’s of ssh server; it will be a problem for me.

Appreciate your post.
3 Amos Shapira 11.26.07 at 2:24 am: The right way to do this is with “ssh-keygen -R ip-address”.

–Amos
4 Log 01.23.08 at 1:06 pm: Theres actually a script that does this at
http://blog.hacker.dk/2008/01/script-to-fix-ssh-host-identification-changed/

Aparently it doesnt use the sshkeygen, but it does the work nicely and easy:
script
5 andy 02.17.08 at 10:44 pm: thanks Amos for the correct way to update rsa host keys.
6 deepen 03.03.08 at 5:38 am: Thanks for nice solution.

The above mentioned problem I face when remote computer completely formated and they give us again ssh connection. And because of RSA digital signature of computer identification the local computer does not accept the remote computer (as I think).

Once again thanks for solution.

Regards,
Deepen
7 S. Cornall 06.20.08 at 3:14 pm: Thanks, your solution worked for my SSH login. Currently still can’t log in properly through my ltsp server. It says it is checking the password and then ends the session. I definitely have a link to the server (i.e. and address) Any ideas about this? Thank-you in advance.
8 eri winandar 12.28.08 at 3:18 pm: It works fo me :)
vi ~/.ssh/known_hosts
dd
:wq
9 uttam 01.15.09 at 2:29 pm: Thanks for the solution
10 anonymous 02.08.09 at 12:47 pm: Hi,
I’m getting the same error. I compared the RSA keys in my known_hosts file with the host key of the remote computer….they are the same. I thought I’d find out if it is a genuine MITM attack or not, so I shut down the SSH server on the remote machine and accepted the newly presented key. Connection to the remote machine now yields a “Permission denied” message, since I use public-private key authentication.

Does this mean that I am, in fact, being subjected to a MITM attack?

Thanks.
11 anonymous 02.10.09 at 3:49 pm: Above mentioned problem was solved. I restarted the remote machine, and everything started working properly..

Weird….
12 chaiklang9 02.26.09 at 3:43 pm: Thanks. Good job.
13 carlos 03.04.09 at 6:58 pm: Thanks….it’s works for my.greetings from argentine!!! bye
14 Tguntara 03.31.09 at 11:37 am: I had same problem.,, i tried to used Amos Sapira suggest.
#ssh-keygen -R ip_that_have_problem

and.. IT WORKS..
thanx a lot guys…
Regard … TGUNTARA
15 error3 05.17.09 at 11:17 pm: just for help :
the port of a ssh wasn’t 22.
I need to ssh-keygen -R [ip]:port
(keep the ‘[‘)
16 niko 06.15.09 at 10:21 am: in my case I had another problem:
I had set the options
UserKnownHostsFile=no
StrictHostKeyChecking=no
in my config and this prevented the new host to be added to known_hosts. I got the error every time I tried to contact the host and never got a prompt to add it to known hosts.
17 Andrew Abogado 07.25.09 at 1:31 pm: Big help especially solution number 3. :)
Finally get rid of that error message. Made me really paranoid of the “eavesdropping” thing.

Thanks a lot for the tip.
18 lucky 08.24.09 at 11:40 am: hi, thansk a lot.. solution 3 worked :)
19 wid get 10.07.09 at 4:32 am: got one better for you.

ssh -1 host fails, asking for password, even though pub key is correct on remote host.
subsequent ssh -1 host fails with man-in-the-middle warning. this is an endless cycle.

ssh -2 host works fine from the command line. from the veritas netbackup NBU_include.pl script, that same command fails on auth error.

;-)