How to resolve the "Remote Host Identification Has Changed" SSH warning

Seeing the “REMOTE HOST IDENTIFICATION HAS CHANGED” warning from an SSH client signals that the remote server's identity no longer matches what is stored locally. The message appears before any password or key authentication and blocks the connection to prevent silently talking to an unexpected host. Handling the warning correctly restores connectivity while still protecting against impersonated servers.

During an OpenSSH handshake, the client checks the server's host key fingerprint against entries stored in /home/user/.ssh/known_hosts (or the equivalent path for the current account). The first time a host is contacted, the client shows the fingerprint and, when accepted, saves it in that file for later checks. On later connections, any mismatch between the stored fingerprint and the server's current host key triggers the identification‑changed warning.

Host keys can change legitimately after a system reinstall, migration, or intentional regeneration, but the same symptom also appears during a man‑in‑the‑middle attack. Before removing or replacing any entry in known_hosts, the presented fingerprint must be compared with a trusted source such as a console session or administrator‑supplied value. The steps below assume a standard OpenSSH client on a Unix‑like system and focus on updating the stored key only after the new server identity is trusted.

1. Open a terminal on the client system that is attempting the SSH connection.
2. Attempt the SSH connection again so the client prints the full host key mismatch warning and the new fingerprint.

   $ ssh 192.168.111.14
   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
   @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
   IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
   Someone could be eavesdropping on you right now (man-in-the-middle attack)!
   It is also possible that a host key has just been changed.
   The fingerprint for the ECDSA key sent by the remote host is
   SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
   Please contact your system administrator.
   Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
   Offending ECDSA key in /home/user/.ssh/known_hosts:3
     remove with:
     ssh-keygen -f "/home/user/.ssh/known_hosts" -R "192.168.111.14"
   ECDSA host key for 192.168.111.14 has changed and you have requested strict checking.
   Host key verification failed.

   

   Proceed only after confirming that the host key change is expected, because trusting an unverified key allows a man-in-the-middle attacker to impersonate the server.

3. Verify the new host key fingerprint using a trusted channel such as a console login on the server or information from an administrator.

   # ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
   256 SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48 root@server (ECDSA)

   This example command is run on the server to display the canonical host key fingerprint for comparison.

4. Remove the outdated host key entry from the /home/user/.ssh/known_hosts file using the hostname or IP address shown in the warning.

   $ ssh-keygen -R 192.168.111.14
   # Host 192.168.111.14 found: line 3
   /home/user/.ssh/known_hosts updated.
   Original contents retained as /home/user/.ssh/known_hosts.old

   The warning output shows the exact file path and line number that must be removed.

5. Optionally open /home/user/.ssh/known_hosts in a text tool to confirm the obsolete entry is gone and to clean up any duplicate hostnames or IP addresses.

   $ sed -n '1,5p' ~/.ssh/known_hosts
   192.168.0.111 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAACBBInXA+7gb/gR0rOWlxzAvlt1SVEPlmQBqRVbkDe7M4eZ3OC/yMXEl0QP8va62rGxvEx0quWflFROQclYPc0NrT0=
   remote-host ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAACBBInXA+7gb/gR0rOWlxzAvlt1SVEPlmQBqRVbkDe7M4eZ3OC/yMXEl0QP8va62rGxvEx0quWflFROQclYPc0NrT0=
   10.0.0.2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu9MUCkl0C7pXE//vtoRoxgVFGKOPWxvf1zA0HKYlCl5hR/HLeTTZbmoqA/aet0VLAunetMOkQuSaLDCaJPqQ21DD5db6C

   Removing stale or duplicate lines avoids future confusion when a host is reachable by multiple names or addresses.

6. Reconnect to the host so the client can store the trusted host key after confirming that the fingerprint matches the reference value.

   $ ssh 192.168.111.14
   The authenticity of host '192.168.111.14 (192.168.111.14)' can't be established.
   ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
   Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
   Warning: Permanently added '192.168.111.14' (ECDSA) to the list of known hosts.
   user@192.168.111.14's password:

   Type yes only when the fingerprint exactly matches the trusted value obtained earlier.

7. Confirm that subsequent connections complete without the identification‑changed warning and proceed directly to authentication.

   $ ssh user@192.168.111.14
   Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-96-generic x86_64)
   ##### snipped #####
   user@192.168.111.14:~$