When you log in to a remote SSH server, your SSH client will check for the fingerprint of the server's SSH key. During your first time connecting to the server, you'll need to confirm if you want to continue connecting based on the displayed key fingerprint.

$ ssh
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
user@'s password:

If you chose to continue, your SSH client would store the key fingerprint in known_hosts_file, which in Linux and other Unix-based operating systems usually is ~/.ssh/known_hosts.

You will no longer be asked to confirm your subsequent login to the remote SSH server, but your SSH client will still verify the server's key fingerprint by comparing it to the one it has already stored in known_hosts_file. If the fingerprint of the server's SSH key is different than the one stored, you'll get the following warning message:

$ ssh
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:3s
  remove with:
  ssh-keygen -f "/home/user/.ssh/known_hosts" -R ""
ECDSA host key for has changed and you have requested strict checking.
Host key verification failed.

You can fix this Remote Host Identification Has Changed warning by disabling StrictHostKeyChecking or updating your known_hosts_file.

Please ensure the remote host you're connecting to is trusted before proceeding with these steps.

Steps to fix Remote Host Identification Has Changed! warning in SSH:

  1. Connect with host key checking option set to no.
    $ ssh -o 'StrictHostKeyChecking no' user@remote-host
  2. Add StrictHostKeyChecking no to SSH client configuration file to make it persistent across connections.
    $ vi ~/.ssh/config

    ~/.ssh/config is user-specific while adding the same directive to /etc/ssh/ssh_config will apply it to all users within the system.

  3. Remove entry from known_hosts_file using ssh-keygen
    $ ssh-keygen -R remote-host
    # Host remote-host found: line 2
    /home/user/.ssh/known_hosts updated.
    Original contents retained as /home/user/.ssh/known_hosts.old
  4. Manually update known_hosts_file using your preferred text editor.
    cat ~/.ssh.authorised_keys ecdsa-sha2-nistp256 AAAAE2DjZHNhLXNoYTItbnlzHHAyNBYAAAAIbmlzdHAyNTYAAABBBInXA+7gb/gR0rOWlxzAvlt1SVEPabQBqRVbkDe7M4eZ3OC/yMXEA0QP8va62rGxvEx0quWf0FROQclyPc0NrT0=
    remote-host ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoaTItbmlzdhAyNTYAAAAIbmlzdHAyNTYAAACBBInXA+7gb/gR0rOWlxzAvlt1SVEPlmQBqRVbkDe7M4eZ3OC/yMXEl0QP8va62rGxvEx0quWflFROQclYPc0NrT0= ssh-rsa AAAAB3NzaB1yc2EAAAACAQACAAABAQCu9MUCkl0C7pXE//vtoRoxgVFGKOPWxvf1zA0HKYlCl5hR/HLeTTZbmoqA/aet0VLAunetMOkQuSaLDCaJPqQ21DD5db6CMkjAtUkR/xfGKiT8ZWBitBRE4cbBoPVhY9RjMtHlUFGy7pFYOSVau7rBxhsX9F9pIWDDuBEytjl3q5HAF+qBOKrcdEcSMieXVhcEQRo2HkJ4r/8dR0Nxvtq05X3LAj8tFZJ34ClfA7liALVRCHYxK8VyJHew1jxBJGbnZU/vIndIcHjJO1TftfBOo7wDo1NeVD0Ue7dYszu7mvY4tJKaPAgMGIAUScZ7c2BaLGk9gVLXkRzU+zQ61pYf

    You can manually update the key fingerprint or delete the related entry entirely.

Discuss the article:

Comment anonymously. Login not required.