Warning: Remote Host Identification Has Changed error and solution

See all Troubleshooting related FAQ
When I run ssh command I get an error which read as follows:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
5c:9b:16:56:a6:cd:11:10:3a:cd:1b:a2:91:cd:e5:1c.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for ras.mydomain.com has changed and you have requested strict checking.
Host key verification failed.

How do I get rid of this message?

If you have reinstalled Linux or UNIX server with OpenSSH, you will get the above error from client computer as follows:

Fig.01: "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" error

Fig.01: “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED” error

To get rid of this problem add correct host key in $HOME/.ssh/known_hosts. You can try the following command to get rid of offending key. Only use the following commands if you have changed the ssh key or modified by new operating system installation or the recent OpenSSH server installation.

Solution #1: Remove keys using ssh-keygen

Use the -R option to removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts. If your remote hostname is server.example.com, enter:
$ ssh-keygen -R {server.name.com}
$ ssh-keygen -R {ssh.server.ip.address}
ssh-keygen -R {ssh.server.ip.address} -f {/path/to/known_hosts}
$ ssh-keygen -R server.example.com

Sample output:

/home/vivek/.ssh/known_hosts updated.
Original contents retained as /home/vivek/.ssh/known_hosts.old

Now, you can connect to the host without a problem.

Solution #2: Add correct host key in /home/user/.ssh/known_hosts

It is not necessary to delete the entire known_hosts file, just the offending line in that file. For example if you have 3 server as follows.
myserver1.com,64.2.5.111 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0EnGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0E
nGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94H+uv304/ZDz6xZb9ZWsdm+264qReImZzruAKxnwTo4dcHkgKXKHeefnBKyEvvp/2ExMV9WT5DVe1viVwk=
myserver2.com,125.1.12.5 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAtDiERucsZzJGx/1kUNIOYhJbczbZHN2Z1gCnTjvO/0mO2R6KiQUP4hOdLppIUc9GNvlp1kGc3w7B9tREH6kghXFiBjrIn6VzUO4uwrnsMbnAnscD5EktgI7fG4ZcNUP 5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGxQz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/IyI4NxHhhpltYZKW/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw=
myserver3.com,125.2.1.15 ssh-rsa
5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGx0lVkphVsvYD5hJzm0eKHv+oUXRT9v+QMIL+um/IyI4NxHhhpltYZKW
as3533dka//sd33433////44632Z6MGnAazIviHBldxtGrFwvEnk82/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw==

To delete 2nd server (myserver.com), open file:
# vi +2 .ssh/known_hosts
And hit dd command to delete line. Save and close the file. Or use following
$ vi ~/.ssh/known_hosts
Now go to line # 2, type the following command
:2
Now delete line with dd and exit:
dd
:wq

Or you can use the sed command as follows to delete offending key at line # 44:
$ sed -i 44d ~/.ssh/known_hosts

Solution 3: Just delete the known_hosts file If you have only one ssh server

$ cd
$ rm .ssh/known_hosts
$ ssh ras.mydomain.com

Try connecting with ssh again

Now you should be able to connect your server via ssh:
ssh username@server-ip-here
ssh nixcraft@server1.cyberciti.biz

Next, you will get a fresh prompt to add key to ~/.ssh/known_hosts as follows:

The authenticity of host '10.86.115.66 ()' can't be established.
ECDSA key fingerprint is 4e:10:42:39:53:85:7f:89:89:dc:89:84:8d:79:e7:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.86.115.66' (ECDSA) to the list of known hosts.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

63 comments… add one
  • Tenou Apr 29, 2015 @ 21:27

    Thanks! Worked for me while using mobaXTerm

  • ade Aug 22, 2015 @ 10:42

    Open File manager, enter to /home/user/ssh/ and open file known_host. edit file and remove content. finish: saving
    Olala… resolved.

  • Sonaina Feb 24, 2016 @ 17:09

    thanks , it was really helpful.

  • Tommy Nov 22, 2016 @ 4:27

    What to do when the “bad” key is not in the normal place $HOME/.ssh/known_hosts, but it’s located in /var/lib/sss/pubconf/known_hosts? No solution works.

    • 🛡️ Vivek Gite (Author and Admin) Vivek Gite Nov 22, 2016 @ 7:09

      The syntax is:
      ssh-keygen -f /var/lib/sss/pubconf/known_hosts -R ip_address_here
      ssh-keygen -f /var/lib/sss/pubconf/known_hosts -R host-example-com

      Or Edit file with a text editor such as vi:
      vi /var/lib/sss/pubconf/known_hosts
      And delete the line.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.