When you connect to a remote SSH server, your SSH client checks the server's key fingerprint. The first time you connect, you must confirm whether to trust the server by comparing the displayed fingerprint. If you accept, the fingerprint is stored in the known_hosts file on your system.

$ ssh 192.168.111.14
The authenticity of host '192.168.111.14 (192.168.111.14)' can't be established.
ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.111.14' (ECDSA) to the list of known hosts.
user@192.168.111.14's password:

On subsequent connections, your SSH client compares the stored fingerprint with the one presented by the server. If the fingerprints do not match, you will receive a warning that the “Remote Host Identification Has Changed.” This warning indicates a potential issue with the server’s identity verification.

$ ssh 192.168.111.14
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:XLVdUNQkTCWoHz9knISigCqwFkvm0nFkgeMvXgW7Wbc.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:3s
  remove with:
  ssh-keygen -f "/home/user/.ssh/known_hosts" -R "192.168.111.14"
ECDSA host key for 192.168.111.14 has changed and you have requested strict checking.
Host key verification failed.

A change in the server's key can occur for several reasons. It may happen after a server update, reinstallation, or a configuration change. However, it can also signal a security threat, such as a man-in-the-middle attack. Therefore, it is essential to verify the cause before proceeding.

To resolve this warning, you must update or remove the outdated key from the known_hosts file. This process ensures that your SSH client trusts the correct key during future connections.

Ensure the remote host you're connecting to is trusted before proceeding with these steps.

Steps to fix Remote Host Identification Has Changed! warning in SSH:

  1. Connect with host key checking disabled.
    $ ssh -o 'StrictHostKeyChecking no' user@remote-host
  2. Open the SSH configuration file.
    $ vi ~/.ssh/config

    ~/.ssh/config is user-specific, while adding the same directive to /etc/ssh/ssh_config will apply it to all users on the system.

  3. Add the following to your SSH client configuration file to disable strict host key checking permanently.
    host *
        StrictHostKeyChecking no
  4. Remove the outdated entry from the known_hosts file.
    $ ssh-keygen -R remote-host
    # Host remote-host found: line 2
    /home/user/.ssh/known_hosts updated.
    Original contents retained as /home/user/.ssh/known_hosts.old
  5. Manually update the known_hosts file (optional).
    cat ~/.ssh.authorised_keys
    192.168.0.111 ecdsa-sha2-nistp256 AAAAE2DjZHNhLXNoYTItbnlzHHAyNBYAAAAIbmlzdHAyNTYAAABBBInXA+7gb/gR0rOWlxzAvlt1SVEPabQBqRVbkDe7M4eZ3OC/yMXEA0QP8va62rGxvEx0quWf0FROQclyPc0NrT0=
    remote-host ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoaTItbmlzdhAyNTYAAAAIbmlzdHAyNTYAAACBBInXA+7gb/gR0rOWlxzAvlt1SVEPlmQBqRVbkDe7M4eZ3OC/yMXEl0QP8va62rGxvEx0quWflFROQclYPc0NrT0=
    10.0.0.2 ssh-rsa AAAAB3NzaB1yc2EAAAACAQACAAABAQCu9MUCkl0C7pXE//vtoRoxgVFGKOPWxvf1zA0HKYlCl5hR/HLeTTZbmoqA/aet0VLAunetMOkQuSaLDCaJPqQ21DD5db6CMkjAtUkR/xfGKiT8ZWBitBRE4cbBoPVhY9RjMtHlUFGy7pFYOSVau7rBxhsX9F9pIWDDuBEytjl3q5HAF+qBOKrcdEcSMieXVhcEQRo2HkJ4r/8dR0Nxvtq05X3LAj8tFZJ34ClfA7liALVRCHYxK8VyJHew1jxBJGbnZU/vIndIcHjJO1TftfBOo7wDo1NeVD0Ue7dYszu7mvY4tJKaPAgMGIAUScZ7c2BaLGk9gVLXkRzU+zQ61pYf

    You can either update the key fingerprint or delete the related entry entirely.

Discuss the article:

Comment anonymously. Login not required.