If you’ve ever tried to connect to a remote server using ssh, and received an error message that says “Host key verification failed,” you know how frustrating it can be. This article will show you three ways to fix the problem.
Table of Contents
What is a Host Key in SSH?
A Host key is a unique identifier that is used to verify the identity of a remote host. When you connect to a remote host, the Host key is verified against a list of known Host keys. If there is a match, the connection will be allowed to proceed. If there is not a match, the connection will be denied.
The Host key is also used to generate a cryptographic signature for each connection. This signature is used to verify the integrity of the data that is transferred between the client and server.
Understanding error message Host key verification failed
If you receive the error message “Host key verification failed”, it means that the key stored for the host you’re trying to connect to has changed. It is often caused by connecting to a different server than the one you originally connected to (for example, your server has been rebuilt by a new one).
Whenever we connect to a server via SSH, that server’s public key is stored in our home directory. The file is called known_hosts.
This file is local to the user account and contains the known keys for remote hosts. These are collected from the hosts when connecting for the first time.
As with those keys stored in the file, ~/.ssh/known_hosts, these keys are used to verify the identity of the remote host, thus protecting against impersonation or man-in-the-middle attacks.
When we reconnect to the same server, the SSH connection will verify the current public key matches the one we have saved in our known_hosts file. If there is a match, the connection will proceed. If the match fails, ssh will fail with an error message Host key verification failed happens.
Example of Host key verification failed
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is x. Please contact your system administrator.
Add correct host key in /home/ec2-user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/ec2-user.ssh/known_hosts:222 RSA host key for www.howtouselinux.com has changed and you have requested strict checking.Host key verification failed.
Methods to fix problem of Host key verification failed
Host key verification failed error occurs when the server’s host key does not match the key that was expected. This can happen when the server’s key has been changed, or when the key has been compromised.
Here are three ways to fix this Host key verification failed error.
- Manually edit the “~/.ssh/known_hosts” file and remove the old key for the host you’re trying to connect to. This will allow you to connect to the new server without any problems.
- Use the “ssh-keygen -R” command to remove the old key from your “~/.ssh/known_hosts” file. This will allow you to connect to the new server without any problems.
- Use the “-o StrictHostKeyChecking=no” option when connecting to the server. This will prevent ssh from checking the “~/.ssh/known_hosts” file, and will allow you to connect to the new server without any problems.
Remove old host key info from known_hosts file
The easiest way to fix the problem of Host key verification failed is removing the old host key info and reconnect the server.
We can fix this issue with the following steps.
- Locate our known_hosts file
- open in a general text editor with vi /home/user/.ssh/known_hosts
- search the old host name and press “ESC dd” to delete the line.
- save the changes by pressing “esc” and typing “:wq!”.
- reconnect the server
Remove old host key info with ssh-keygen command
We can also remove the old host key with ssh-keygen command.
Open up a terminal session, and type one of the following
- ssh-keygen -R hostname
- ssh-keygen -R ipaddress
- ssh-keygen -f “/home/ec2-user.ssh/known_hosts” -R “192.168.0.106”
Disable SSH stricthostkeychecking option
The stricthostkeychecking option in SSH is a security feature that verifies the host key information for each connection.
If there is a problem with the host key information, the connection will not be allowed to proceed. This option can be disabled, which will allow the connection to proceed even if there is a problem with the host key information.
- Open up a terminal window.
- Type in the following command: ssh -o StrictHostKeyChecking=no hostname
This command removes the old host key for the device in the known_hosts file and replaces old host key with the new host key.