Warning: Remote Host Identification Has Changed error and solution

When I run ssh command I get an error which read as follows:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for ras.mydomain.com has changed and you have requested strict checking.
Host key verification failed.

How do I get rid of this message?

If you have reinstalled Linux or UNIX server with OpenSSH, you will get the above error from client computer as follows:



To get rid of this problem add correct host key in $HOME/.ssh/known_hosts. You can try the following command to get rid of offending key. Only use the following commands if you have changed the ssh key or modified by new operating system installation or the recent OpenSSH server installation.

Solution #1: Remove keys using ssh-keygen

Use the -R option to removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts. If your remote hostname is server.example.com, enter:
$ ssh-keygen -R {server.name.com}
$ ssh-keygen -R {ssh.server.ip.address}
ssh-keygen -R {ssh.server.ip.address} -f {/path/to/known_hosts}
$ ssh-keygen -R server.example.com

Sample output:

/home/vivek/.ssh/known_hosts updated.
Original contents retained as /home/vivek/.ssh/known_hosts.old

Now, you can connect to the host without a problem.

Solution #2: Add correct host key in /home/user/.ssh/known_hosts

It is not necessary to delete the entire known_hosts file, just the offending line in that file. For example if you have 3 server as follows.
myserver1.com, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0EnGahT2EK8qElocjuHTsu1jaCfxkyIgBTlxlrOIRchb2pw8IzJLOs2bcuYYfa8nSXGEcWyaFD1ifUjfHelj94AAAAB3NzaC1yc2EAAAABIwAAAIEA11FV0E
myserver2.com, ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAtDiERucsZzJGx/1kUNIOYhJbczbZHN2Z1gCnTjvO/0mO2R6KiQUP4hOdLppIUc9GNvlp1kGc3w7B9tREH6kghXFiBjrIn6VzUO4uwrnsMbnAnscD5EktgI7fG4ZcNUP 5+J7sa3o+rtmOuiFxCA690DXUJ8nX8yDHaJfzMUTKTGxQz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/IyI4NxHhhpltYZKW/Qz4M/H2P8L2R//qLj5s3ofzNmgSM9lSEhZL/M7L0vKeTObue1SgAsXADtK3162a/Z6MGnAazIviHBldxtGrFwvEnk82+GznkO3IBZt5vOK2heBnqQBfw=
myserver3.com, ssh-rsa

To delete 2nd server (myserver.com), open file:
# vi +2 .ssh/known_hosts
And hit dd command to delete line. Save and close the file. Or use following
$ vi ~/.ssh/known_hosts
Now go to line # 2, type the following command
Now delete line with dd and exit:

Or you can use the sed command as follows to delete offending key at line # 44:
$ sed -i 44d ~/.ssh/known_hosts

Solution 3: Just delete the known_hosts file If you have only one ssh server

$ cd
$ rm .ssh/known_hosts
$ ssh ras.mydomain.com

Try connecting with ssh again

Now you should be able to connect your server via ssh:
ssh username@server-ip-here
ssh nixcraft@server1.cyberciti.biz

Next, you will get a fresh prompt to add key to ~/.ssh/known_hosts as follows:

The authenticity of host ' ()' can't be established.
ECDSA key fingerprint is 4e:10:42:39:53:85:7f:89:89:dc:89:84:8d:79:e7:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 63 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
63 comments… add one
  • Chris Kolosiwsky Oct 5, 2006 @ 16:07

    It’s not necessary to delete the entire known_hosts file, just the offending line in that file.

    Using your example, all you need to do is:

    vi ~/.ssh/known_hosts

    And done. This is helpful if you manage a large group of servers and have *many* keys cached. If you delete the entire file, you will br prompted to add the server’s key on each connection attempt.

    • Paul Mar 9, 2011 @ 16:08

      I have an easier way to just delete the one offending key:

      EXAMPLE: sed -i ‘2d’ .ssh/known_hosts

      Just replace the 2 in the example above with whatever line it says contains the offending key.

      • DrScriptt May 19, 2015 @ 1:01

        +1 to what Paul said, who beat me too it.

    • don Apr 4, 2011 @ 19:15

      Yes this was the best and easiest solution out of all.


  • 🐧 nixCraft Oct 5, 2006 @ 21:37


    Good point / tip, if I have 100’s of ssh server; it will be a problem for me.

    Appreciate your post.

  • Amos Shapira Nov 26, 2007 @ 2:24

    The right way to do this is with “ssh-keygen -R ip-address”.


    • Paul Mar 11, 2011 @ 16:55

      Cool, I’ll try that next time….Thanks Amos!

    • Ansudeen Jan 29, 2014 @ 6:07

      Thanks Amos its working fine:)

    • Patrick Jun 3, 2014 @ 17:44

      Thank you! It worked :)

      – Patrick

  • Log Jan 23, 2008 @ 13:06

    Theres actually a script that does this at

    Aparently it doesnt use the sshkeygen, but it does the work nicely and easy:

  • andy Feb 17, 2008 @ 22:44

    thanks Amos for the correct way to update rsa host keys.

  • deepen Mar 3, 2008 @ 5:38

    Thanks for nice solution.

    The above mentioned problem I face when remote computer completely formated and they give us again ssh connection. And because of RSA digital signature of computer identification the local computer does not accept the remote computer (as I think).

    Once again thanks for solution.


  • S. Cornall Jun 20, 2008 @ 15:14

    Thanks, your solution worked for my SSH login. Currently still can’t log in properly through my ltsp server. It says it is checking the password and then ends the session. I definitely have a link to the server (i.e. and address) Any ideas about this? Thank-you in advance.

  • eri winandar Dec 28, 2008 @ 15:18

    It works fo me :)
    vi ~/.ssh/known_hosts

    • Soundar Mar 22, 2011 @ 6:04

      dd worked for me too, tks.

  • uttam Jan 15, 2009 @ 14:29

    Thanks for the solution

  • anonymous Feb 8, 2009 @ 12:47

    I’m getting the same error. I compared the RSA keys in my known_hosts file with the host key of the remote computer….they are the same. I thought I’d find out if it is a genuine MITM attack or not, so I shut down the SSH server on the remote machine and accepted the newly presented key. Connection to the remote machine now yields a “Permission denied” message, since I use public-private key authentication.

    Does this mean that I am, in fact, being subjected to a MITM attack?


  • anonymous Feb 10, 2009 @ 15:49

    Above mentioned problem was solved. I restarted the remote machine, and everything started working properly..


  • chaiklang9 Feb 26, 2009 @ 15:43

    Thanks. Good job.

  • carlos Mar 4, 2009 @ 18:58

    Thanks….it’s works for my.greetings from argentine!!! bye

  • Tguntara Mar 31, 2009 @ 11:37

    I had same problem.,, i tried to used Amos Sapira suggest.
    #ssh-keygen -R ip_that_have_problem

    and.. IT WORKS..
    thanx a lot guys…
    Regard … TGUNTARA

  • error3 May 17, 2009 @ 23:17

    just for help :
    the port of a ssh wasn’t 22.
    I need to ssh-keygen -R [ip]:port
    (keep the ‘[‘)

  • niko Jun 15, 2009 @ 10:21

    in my case I had another problem:
    I had set the options
    in my config and this prevented the new host to be added to known_hosts. I got the error every time I tried to contact the host and never got a prompt to add it to known hosts.

  • Andrew Abogado Jul 25, 2009 @ 13:31

    Big help especially solution number 3. :)
    Finally get rid of that error message. Made me really paranoid of the “eavesdropping” thing.

    Thanks a lot for the tip.

  • lucky Aug 24, 2009 @ 11:40

    hi, thansk a lot.. solution 3 worked :)

  • wid get Oct 7, 2009 @ 4:32

    got one better for you.

    ssh -1 host fails, asking for password, even though pub key is correct on remote host.
    subsequent ssh -1 host fails with man-in-the-middle warning. this is an endless cycle.

    ssh -2 host works fine from the command line. from the veritas netbackup NBU_include.pl script, that same command fails on auth error.


  • Gustavo Serrano Feb 19, 2010 @ 0:10

    Thanks, very helpful

    • Anonymous May 7, 2010 @ 4:09


  • hoosfoos Jun 6, 2010 @ 13:32

    thanks for the solution to this! I used:
    vi ~/.ssh/known_hosts

  • midou Jun 8, 2010 @ 20:46

    thanks for solutions

  • Unknown Nov 13, 2010 @ 9:06

    Thank you for the post, this helped me get back into my ipod 2 gen after I messed up badly by accidentally removing the folder labeled System. You’re awesome!

  • fs Nov 21, 2010 @ 5:58

    Thanks. I never knew about ssh-keygen -r {IP-Address}

  • K-2 Feb 26, 2011 @ 13:29

    Thanks for the solo, quick & painless! Appreciate it!

  • gameculb2002 Mar 11, 2011 @ 3:15

    it’s work for me, tks!

  • santosh lohar Mar 15, 2011 @ 18:58

    Hi guys,

    thanks fo rthe solution I have also one query when I am doing vncviewer (example) then I am getting the message “vncviewer : unable to open dislpay ‘0.0’ “.
    what may be the problem . I checked with echo $DISPLAY >>> it is 0.0.

  • Mohamed May 5, 2011 @ 8:02

    This article was helpful. Thanks

  • Samuel May 13, 2011 @ 10:22

    Thanks Men, this has worked for me

  • Roopesh Jun 9, 2011 @ 10:44

    Thanks a lot for the solution , It has worked for me .

  • Kurt Nov 2, 2011 @ 15:29

    Thanks very much!! That fixed my ssh problem.

  • Scott Nov 9, 2011 @ 4:11

    Thanks for the solution. Option 1 worked like a charm.

  • Pratap Kumar Dec 3, 2011 @ 11:28

    Amazing, it resolved…

    Used this method…
    $ ssh-keygen -R server.example.com

  • mag Apr 24, 2012 @ 22:25


  • Pratik Khadloya Apr 25, 2012 @ 19:37

    Hi Vivek, these articles have been very helpful to me. Thank you very much !
    Your website rocks!

  • Jos Aug 17, 2012 @ 19:50

    Thanks; solution 1 saved my day !

  • Jeev Aug 22, 2012 @ 13:57

    thanks solution #1 saved me.

  • Jannis Aug 30, 2012 @ 7:50

    So – I can’t really tell you if any of these solutions work. There’s another Problem in my warning message:

    It says:
    “Add correct host key in /Users/jannis/.ssh/known_hosts to get rid of this message.”

    Buuut – there is no directory called “/Users/jannis/….” – so I can’t really find this file.
    By the way: the file isn’t in my home directory either.

    Please tell me anybody has a solution for this D:

  • Sundaram Sep 30, 2012 @ 0:17

    Thanks for providing multiple solutions to the same problem :)

  • Abdul Jan 8, 2013 @ 16:29

    Thanx very helpful info.It help me thanx again..:)

  • James Giroux Jan 11, 2013 @ 4:04

    Hey There.

    I encountered this same issue with a reinstalled ubuntu server. None of the three solutions above worked for me but I found a solution that did. The problem was that there was no known_hosts file at all. So, using an ftp client I created the .ssh folder in my user director and then added a file called known_hosts. BEFORE editing the file I tried to ssh in to my server and presto, it worked. Hopefully this helps someone else out.

  • dr memails Jan 20, 2013 @ 21:40

    I was booting the same hardware with different media, so completely different OSs and needed BOTH ssh keys to work. The solution
    ssh-keyscan -t rsa ip_address >> ~/.ssh/known_hosts

  • Olly Feb 14, 2013 @ 10:54

    Thank you – I’m very new to networking at this level, this advice was priceless.

    Page bookmarked.


  • Nunavailabul Mar 7, 2013 @ 8:08

    So I have been hunting for an answer to “how do you determine if the key has actually changed, or you are subject to MITM?”

    I haven’t changed the remote server’s keys, and I have confirmed that the fingerprint matches, so I am now stuck – what should I do?

  • bixo Apr 7, 2013 @ 23:37

    the 3° solution was correct for me ;)

  • Mheshwar Naidu Jun 24, 2013 @ 14:54

    Thank you friend for your support.

  • Afroj Ahmad Aug 17, 2013 @ 5:06

    Thanks …..nice solution…i would like to thanks nixCraft team ….. i m always found the correct explanations and solutions from here ………thanks a lot…..keep it up…

  • jaga Apr 24, 2014 @ 12:11

    try this below command and its working for me.
    ssh-keygen -R

  • Andy F. Nov 20, 2014 @ 18:42

    Since I do a lot of internal testing and re-imaging of servers where I SSH to these servers quite a bit I’d rather not delete the offending key in known hosts, delete the all the files I run this:

    ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@

  • Daron Wolff Jan 16, 2015 @ 16:30

    Many Thanks.
    Its Work

  • Tenou Apr 29, 2015 @ 21:27

    Thanks! Worked for me while using mobaXTerm

  • ade Aug 22, 2015 @ 10:42

    Open File manager, enter to /home/user/ssh/ and open file known_host. edit file and remove content. finish: saving
    Olala… resolved.

  • Sonaina Feb 24, 2016 @ 17:09

    thanks , it was really helpful.

  • Tommy Nov 22, 2016 @ 4:27

    What to do when the “bad” key is not in the normal place $HOME/.ssh/known_hosts, but it’s located in /var/lib/sss/pubconf/known_hosts? No solution works.

    • 🐧 Vivek Gite Nov 22, 2016 @ 7:09

      The syntax is:
      ssh-keygen -f /var/lib/sss/pubconf/known_hosts -R ip_address_here
      ssh-keygen -f /var/lib/sss/pubconf/known_hosts -R host-example-com

      Or Edit file with a text editor such as vi:
      vi /var/lib/sss/pubconf/known_hosts
      And delete the line.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum