Skip to main content

"REMOTE HOST IDENTIFICATION HAS CHANGED" warning when trying to SSH

Kaden Pownall
  • Updated

Symptoms

Attempting to SSH to your server results in a warning similar to the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:$FINGERPRINT.
Please contact your system administrator.
Add correct host key in /Users/$USERNAME/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/$USERNAME/.ssh/known_hosts:7
ECDSA host key for $HOSTNAME_OR_IP has changed and you have requested strict checking.

 

Description 

When you connect to a remote device over SSH, the SSH client first gets a "fingerprint" for an ECDSA key of the remote device. The first time you ever connect to this device, it will save this fingerprint to a local file (by default, it will be the "~/.ssh/known_hosts" file on a Unix-like operating system).  

 

The SSH client will compare what the remote device gave it to what it saved to that file for each subsequent connection attempt. If those do not match, it will warn you with a message similar to the above example.

 

Workaround

The first thing to do is to determine whether this is a change that is worth worrying about or not. If you have made no changes to anything regarding the remote device you're attempting to connect to, then you should be extra cautious about connecting to this device as it may indicate something like a man-in-the-middle attack, as the error warns.

 

There are also several reasons for this fingerprint to change that are not malicious, such as moving an IP address to a new server.

 

If you determine this is safe to proceed from, there are two ways of doing so.

 

1. You can edit the file referenced in the warning and remove the line number mentioned in the error. (line 7 in the example given above). This is potentially dangerous if you aren't sure how to edit the file correctly. However, it is the only method that is guaranteed to work on any client device.

 

2. The safer option, if it is available to you, is to use the ssh-keygen utility to remove the entry:

ssh-keygen -R [hostname-or-IP]

 

Related articles