Today, I tried to SSH into my remote Ubuntu 20.04 LTS server and encountered with this message - WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!.
$ ssh [email protected]
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:K/jEKNQCYYOilJxOZc7qAWlu4xu0nW+MD09DfJL7+gc. Please contact your system administrator. Add correct host key in /home/sk/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/sk/.ssh/known_hosts:11 remove with: ssh-keygen -f "/home/sk/.ssh/known_hosts" -R "192.168.225.52" ECDSA host key for 192.168.225.52 has changed and you have requested strict checking. Host key verification failed.
This is actually not an error message. It is just a security notification that indicates the ECDSA host key for the given remote system has changed since you last connected. As you might already know, when we access a remote system for the first time from a local system via SSH, a fingerprint for the ECDSA key sent by that remote host is cached and stored in $HOME/.ssh/known_hosts file in our local system.
When the identity (fingerprint) has changed after you reinstalled the remote system or assigned a same IP address for multiple remote systems, the above warning message shows up.
Fix "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" Error In Linux
To fix this issue, simply remove the cached key for the IP address on the local system using command:
$ ssh-keygen -R 192.168.225.52
# Host 192.168.225.52 found: line 11 /home/sk/.ssh/known_hosts updated. Original contents retained as /home/sk/.ssh/known_hosts.old
You can also explicitly specify the path of the known_hosts file with -f flag like below.
$ ssh-keygen -f "/home/sk/.ssh/known_hosts" -R "192.168.225.52"
The above command will delete all keys belonging to remote host from the known_hosts file of the local system. And also the old contents of the known_hosts file will be retained in a file named "known_hosts.old".
If you use different SSH port, you need to explicitly mention it like below:
$ ssh-keygen -R 192.168.225.52:1234
Here, 1234 is the SSH port number. Replace it with your actual SSH port number.
After removing the keys, try again to SSH into the remote system using command:
$ ssh [email protected]
Type "yes" and hit ENTER to add the remote host key in your local system:
The authenticity of host '192.168.225.52 (192.168.225.52)' can't be established. ECDSA key fingerprint is SHA256:K/jEKNQCYYOilJxOZc7qAWlu4xu0nW+MD09DfJL7+gc. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.225.52' (ECDSA) to the list of known hosts. [email protected]'s password:
Now you can able to access the remote system via SSH.