howtouselinux

3 ways to fix Host key verification failed in ssh

Table of Contents

Whenever we connect to a server via SSH, that server’s public key is stored in our home directory. The file is called known_hosts. When we reconnect to the same server, the SSH connection will verify the current public key matches the one we have saved in our known_hosts file.

Host key verification failed error occurs when the server’s host key does not match the key that was expected. This can happen when the server’s key has been changed, or when the key has been compromised.  Here are 3 ways to fix this error.

  • Remove the old host key info from known_hosts file
  • Remove the old host key with ssh-keygen command
  • skip the host key checking with SSH option stricthostkeychecking

 

Example of Host key verification failed

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is x. Please contact your system administrator.
Add correct host key in /home/ec2-user/.ssh/known_hosts to get rid of this message.

Offending RSA key in /home/ec2-user.ssh/known_hosts:222 RSA host key for howtouselinux.com has changed and you have requested strict checking.Host key verification failed.

Why Host key verification failed happens?

This file is local to the user account and contains the known keys for remote hosts. These are collected from the hosts when connecting for the first time.

As with those keys stored in the file, ~/.ssh/known_hosts, these keys are used to verify the identity of the remote host, thus protecting against impersonation or man-in-the-middle attacks.

With each subsequent connection the key will be compared to the key provided by the remote server. If there is a match, the connection will proceed. If the match fails, ssh will fail with an error message Host key verification failed happens.

Understanding SSH known_hosts File with Examples

Remove old host key info from known_hosts file

We can remove the old host key from known_hosts file and recreate a SSH connection. The new key will be added automatically. Locate our known_hosts file, and open in a general text editor.  In the example above, the offending RSA key is located here: /home/ec2-user.ssh/known_hosts:222

# vi 222 /home/ec2-user.ssh/known_hosts

Once we open the known_hosts straight to line 222 do the following keyboard commands press “ESC dd” to delete the line. we can save the changes by pressing “esc” and typing “:wq!”.

Fix host key verification failed with ssh-keygen command

We can also remove the old host key with ssh-keygen command.

Open up a terminal session, and type one of the following

  • ssh-keygen -R hostname
  • ssh-keygen -R ipaddress
  • ssh-keygen -f “/home/ec2-user.ssh/known_hosts” -R “192.168.0.106”

Fix host key verification failed with ssh stricthostkeychecking options

We can skip the host key checking with SSH option stricthostkeychecking. This solution will add some risk.

ssh <device ip address> -o stricthostkeychecking=no

This command removes the old host key for the device in the known_hosts file in the /home/ec2-user.ssh/known_hosts file. It replaces the old host key with the new host key.

 

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

If you meet any issues with Linux, record them with Loom and send the link to us here. We will reply ASAP.

Load WordPress Sites in as fast as 37ms!