Overview
This guide provides ways to remove the warnings you see when connecting to your domain/web server via SSH. The warning this guide pertains to is the 'host keys not matching':
If you remove known_host entries as recommended here, you are vulnerable to a man-in-the-middle attack.
The error message
If you see the following warning when accessing your domain or web server via SSH, it generally means that the host key does not match the key in your known_hosts file.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is REMOVED FOR SECURITY REASONS Please contact your system administrator. Add correct host key in /home/USER/.ssh/known_hosts to get rid of this message. Offending key in /home/USER/.ssh/known_hosts:10278 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. –
This is not typically a cause for concern and can be remedied in a few different ways.
Resolving the warning message
There are three methods to remove this error. Please keep in mind that the modification to fix this needs to be performed on the client side, so if you are getting this connecting from home/work you must update that specific computer.
Method One — Generate a new host key (MAC or Linux)
If you have connected to a host in the past, the old host key is stored in your computer's /user/.ssh/known_hosts file. If the key has been updated on the server, you must now delete the old key on your computer.
Run the following command in your shell.
Change HOSTNAME to the host you're connecting to, such as example.com
[local]$ ssh-keygen -R HOSTNAME
The -R option removes the old key related to a specific hostname.
You can now connect via SSH to store a new key.
Method Two — Deleting your known_hosts file
If you log in to other servers, do not delete the known_hosts file, or you’ll have no way of knowing if your SSH keys have changed.
Delete your entire known_hosts file (on your local computer) if you have several hosts that need to be updated. On first log in, it confirms the new key.
- On a Mac or Linux machine – the known_hosts file is located in the .ssh/known_hosts directory. You can simply run this command in a terminal to delete the known_host file:
-
[local]$ rm .ssh/known_hosts
- On a Windows machine using PuTTY – you must access the registry to remove the known_hosts:
- Open up ‘regedit.exe’ by doing a search.
- Navigate to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
- Delete all keys in there or delete the individual host key.
Method Three — Edit the known_hosts file
Edit the known_hosts file. In the above case, open the file /home/USER/.ssh/known_hosts in the preferred text editor, and then remove the problem line.
- This is similar to method two but rather than deleting the entire .known_hosts file, you delete the specific host line in the file instead.
- The warning message lists the line number; it can be found after the file name in the error. In the above error message, the line number is 10,278. If you are on a Mac or Linux machine and if you are using the "vi" editor, you can simply type the following command to jump to that line:
-
[local]$ vim +10278
- The editor opens to that specific line. Click the ‘d’ key twice to delete that line, and then enter the following to save:
-
[local]$ :x
View the following article for further details on how to use vim.
On a Windows machine using PuTTY, navigate to the Registry folder as shown in method two above. In that directory, a list of hostnames appears. Right click on the one you need to remove, and then select ‘Delete’.
