Updating host keys

Overview

This guide provides ways to remove the warnings you see when connecting to your domain/web server via SSH. The warning this guide pertains to is the 'host keys not matching':

If you remove known_host entries as recommended here, you are vulnerable to a man-in-the-middle attack.

The error message

If you see the following warning when accessing your domain or web server via SSH, it generally means that the host key does not match the key in your known_hosts file.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
REMOVED FOR SECURITY REASONS
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending key in /home/username/.ssh/known_hosts:10278
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.

–

This is not typically a cause for concern and can be remedied in a few different ways.

Resolving the warning message

There are three methods to remove this error. Please keep in mind that the modification to fix this needs to be performed on the client side, so if you are getting this connecting from home/work you must update that specific computer.

 

Method One — Generate a new host key (MAC or Linux)

If you have connected to a host in the past, the old host key is stored in your computer's /user/.ssh/known_hosts file. If the key has been updated on the server, you must now delete the old key on your computer.

Run the following command in your shell.

Change HOSTNAME to the host you're connecting to, such as example.com

[local]$ ssh-keygen -R HOSTNAME

The -R option removes the old key related to a specific hostname.

You can now connect via SSH to store a new key.

When connecting this time, you'll see the warning The server's host key is unknown. This just means it's not in your known_hosts file. You should confirm the fingerprint is what shows in the panel by using the instructions in the following article.

Once you have confirmed they match you can log in and the key is automatically updated in your computer's known_hosts file.

 

Method Two — Deleting your known_hosts file

Do not use this method if you log in to servers other than DreamHost. If so, you’ll have no way of knowing if your SSH keys have changed since the known_hosts file will have been deleted.

Delete your entire known_hosts file (on your local computer) if you have several hosts that need to be updated.

On a Mac or Linux machine

The known_hosts file is located in the .ssh/known_hosts directory. You can simply run this command in a terminal to delete the known_host file:

[local]$ rm .ssh/known_hosts

On a Windows machine using PuTTY

You must access the registry to remove the known_hosts:

  1. Open up ‘regedit.exe’ by doing a search.
  2. Navigate to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
  3. Delete all keys in there or delete the individual host key.

When connecting next time, you'll see the warning The server's host key is unknown. This just means it's not in your known_hosts file. You should confirm the fingerprint is what shows in the panel by using the instructions in the following article.

Once you have confirmed they match you can log in and the key is automatically updated in your computer's known_hosts file.

 

Method Three — Edit the known_hosts file

This is an advanced method. Only use edit the known_hosts if you are comfortable editing files via SSH.

Edit the known_hosts file. In the above case, open the file /home/username/.ssh/known_hosts in the preferred text editor, and then remove the problem line. Make sure to change username to your Shell user.

This is similar to method two but rather than deleting the entire known_hosts file, you delete the specific host line in the file instead.

The warning message lists the line number; it can be found after the file name in the error. In the above error message, the line number is 10,278. If you are on a Mac or Linux machine and if you are using the "vim" editor, you can simply type the following command to jump to that line:

[local]$ vim +10278 known_hosts
The editor opens to that specific line. Click the d key twice to delete that line, and type a colon (:) followed by the letter x:
[local]$ :x

Finally, press the Enter key to save.

View the following article for further details on how to use vim.

On a Windows machine using PuTTY, navigate to the Registry folder as shown in method two above. In that directory, a list of hostnames appears. Right click on the one you need to remove, and then select ‘Delete’.

When connecting next time, you'll see the warning The server's host key is unknown. This just means it's not in your known_hosts file. You should confirm the fingerprint is what shows in the panel by using the instructions in the following article.

Once you have confirmed they match you can log in and the key is automatically updated in your computer's known_hosts file.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?