When you log in to a remote SSH server, your SSH client will check for the fingerprint of the server's SSH key. During your first time connecting to the server, you'll need to confirm if you want to continue connecting based on the displayed key fingerprint.

$ ssh 192.168.111.14
The authenticity of host '192.168.111.14 (192.168.111.14)' can't be established.
ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.111.14' (ECDSA) to the list of known hosts.
[email protected]'s password:

If you chose to continue, your SSH client will store the key fingerprint in known_hosts_file which in Linux and other Unix-based operating systems is normally ~/.ssh/known_hosts.

On your subsequent log in to the remote SSH server, you will no longer be asked for confirmation but your SSH client will continue to verify the server's key fingerprint by comparing it to the one it has already stored in known_hosts_file. If the fingerprint of the server's SSH key is different than the one being stored, you'll get the following warning message:

$ ssh 192.168.111.14
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:XLVdUNQkTCWoHz9knISigCqwFkvm0nFkgeMvXgW7Wbc.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:3
  remove with:
  ssh-keygen -f "/home/user/.ssh/known_hosts" -R "192.168.111.14"
ECDSA host key for 192.168.111.14 has changed and you have requested strict checking.
Host key verification failed.

You can fix this Remote Host Identification Has Changed warning by disabling StrictHostKeyChecking or updating your known_hosts_file.

Please ensure the remote host you're connecting to is trusted before proceeding with these steps.

Steps to fix Remote Host Identification Has Changed! warning in SSH:

  1. Connect with host key checking option set to no.
    $ ssh -o 'StrictHostKeyChecking no' [email protected]
  2. Add StrictHostKeyChecking no to SSH client configuration file to make it persistent across connections.
    $ vi ~/.ssh/config

    ~/.ssh/config is user-specific while adding the same directive to /etc/ssh/ssh_config will apply it to all users within the system.

  3. Remove entry from known_hosts_file using ssh-keygen
    $ ssh-keygen -R remote-host
    # Host remote-host found: line 2
    /home/user/.ssh/known_hosts updated.
    Original contents retained as /home/user/.ssh/known_hosts.old
  4. Manually update known_hosts_file using your preferred text editor.
    cat ~/.ssh.authorised_keys
    192.168.0.111 ecdsa-sha2-nistp256 AAAAE2DjZHNhLXNoYTItbnlzHHAyNBYAAAAIbmlzdHAyNTYAAABBBInXA+7gb/gR0rOWlxzAvlt1SVEPabQBqRVbkDe7M4eZ3OC/yMXEA0QP8va62rGxvEx0quWf0FROQclyPc0NrT0=
    remote-host ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoaTItbmlzdhAyNTYAAAAIbmlzdHAyNTYAAACBBInXA+7gb/gR0rOWlxzAvlt1SVEPlmQBqRVbkDe7M4eZ3OC/yMXEl0QP8va62rGxvEx0quWflFROQclYPc0NrT0=
    10.0.0.2 ssh-rsa AAAAB3NzaB1yc2EAAAACAQACAAABAQCu9MUCkl0C7pXE//vtoRoxgVFGKOPWxvf1zA0HKYlCl5hR/HLeTTZbmoqA/aet0VLAunetMOkQuSaLDCaJPqQ21DD5db6CMkjAtUkR/xfGKiT8ZWBitBRE4cbBoPVhY9RjMtHlUFGy7pFYOSVau7rBxhsX9F9pIWDDuBEytjl3q5HAF+qBOKrcdEcSMieXVhcEQRo2HkJ4r/8dR0Nxvtq05X3LAj8tFZJ34ClfA7liALVRCHYxK8VyJHew1jxBJGbnZU/vIndIcHjJO1TftfBOo7wDo1NeVD0Ue7dYszu7mvY4tJKaPAgMGIAUScZ7c2BaLGk9gVLXkRzU+zQ61pYf

    You can manually update the key fingerprint or simply delete the related entry entirely.

Support us on Patreon if this guide has helped you. Thanks!!!

Discuss the article:

Comment anonymously. Login not required.

Share!