Skip to Content

SSH Host key and How to Fix Remote Host Key Has Changed Error in Linux

By: Author David Cao

Posted on Last updated:

1 Comment

Categories Linux

Ever encountered the cryptic message “Remote Host Key Has Changed” while connecting to a server using SSH (Secure Shell)?

This seemingly technical error notification actually serves as a vital security safeguard.

Each server in the SSH world has a one-of-a-kind identifier called a host key, similar to a digital fingerprint.

When you connect for the first time, the server sends its unique key to your device. Your device stores this key in a file named “known_hosts“.

On subsequent connections, the server again sends its key. Your device checks this key against the one stored in “known_hosts”. If they match, you’re good to go – the connection is secure.

A mismatch between the keys triggers the warning.

This prevents someone from intercepting your connection and pretending to be the real server. By checking the key, you ensure you’re actually communicating with the intended server.

What is host key in Linux

An SSH host key is another layer of security used in the SSH protocol, specifically on the server side. It works alongside SSH key pairs (private and public keys).

The main purpose of an SSH host key is to ensure you’re connecting to the intended server and not a malicious imposter in a process called server authentication. It acts as an extra layer of security on top of username and password logins.

Here’s how it works:

  • Unique Server Identity: Every server has a unique SSH host key, similar to a digital fingerprint. It consists of a public and private key pair, just like user SSH keys, but these keys are stored on the server itself.
  • Verification on Connection: When you connect to a server for the first time using SSH, the server sends its public host key to your local machine.
  • Matching Keys: Your SSH client (the program you use to connect) checks its stored list of known host keys. This list can include keys for servers you’ve connected to before or pre-configured trusted keys.
  • Security Alert:
    Match: If the public host key from the server matches a known host key in your list, it’s considered a secure connection. 
    Mismatch: If the keys don’t match, it could be a red flag:
    You might be trying to connect to a different server than intended (posing as a legitimate server).
    The server’s key might have been changed due to os rebuild.

Remote Host Key Has Changed Error: Explanation and Fix

We can summarize what we have explained above.

  • SSH Host Keys: Every server has a unique SSH host key, acting like a digital fingerprint for identification.
  • Known Hosts File: Your SSH client maintains a file called “known_hosts” that stores previously encountered server keys.
  • The Check: When you connect to a server, the server sends its host key to your client.
  • The Mismatch: The client checks the “known_hosts” file for a matching key. If it doesn’t find a match, or if the keys differ, you get the error message.

The “Remote Host Key Has Changed” error in SSH indicates a mismatch between the current server’s host key and the one previously recorded in the client’s known_hosts file.

This discrepancy can occur due to legitimate reasons like a reinstalled operating system or an updated SSH server package. However, it may also signal a potential security threat, such as a man-in-the-middle attack.

How you respond to this error message depends on the situation. If you’re confident about the server’s legitimacy and the key change was expected, you can take steps to accept the new key.

However, if you’re unsure, it’s always best to err on the side of caution and investigate further before proceeding. This might involve contacting the server administrator to confirm the key change or double-checking the server’s identity through a trusted channel.

How to Fix:

  1. Verify the Change: Confirm the legitimacy of the change in the host key. Investigate further if there’s any doubt about the change’s authenticity.
  2. Remove the Old Host Key: Use the command ssh-keygen -R [hostname_or_IP] to remove the old key from the known_hosts file.
  3. Reconnect to the Server: After removing the old key, reconnect with the command ssh [username]@[hostname_or_IP]. You will be prompted to accept the new host key, which should be carefully verified before acceptance.
  4. Key Re-Added: Once the new key is accepted, it is added to the known_hosts file, securing future connections to the server.

How to Find the Host Key in Linux

Understanding how to locate the host key of an SSH server in Linux is important for verifying the server’s identity and for troubleshooting purposes.

Finding the Local SSH Server’s Host Key:

  1. Access the SSH Server’s Host Key Files: SSH host keys are typically stored in /etc/ssh/. File names vary based on the key type (e.g., ssh_host_rsa_key.pub, ssh_host_ecdsa_key.pub).
  2. View the Host Key: Use the cat command to display the public part of the host key, for example: 
    cat /etc/ssh/ssh_host_rsa_key.pub

Finding a Remote SSH Server’s Host Key:

This method allows you to retrieve the public host key of a server without needing to have connected to it before. Here’s how to use it:

  1. Open a terminal window.
  2. Run the ssh-keyscan command:
    ssh-keyscan <server_ip_or_ hostname
    Replace with the actual IP address or hostname of the server you want to find the key for.
  3. Output: The command will display the public host key of the server along with the SSH protocol version and any key fingerprints (hashed versions of the key for easier comparison).

 

Conclusion:

Resolving the “Remote Host Key Has Changed” error involves verifying the cause of the key change, removing the outdated key, and updating the known_hosts file with the new key.

This process is essential for maintaining the integrity and security of SSH connections.

It’s important to prioritize security when dealing with SSH host keys. Don’t blindly accept new keys, especially if you’re unsure about the server. Always verify the server’s identity before adding new keys to your “known_hosts” file.

Fix SSH timed out waiting for input: auto-logout with TMOUT and StopIdleSessionSec Configurations

Obtaining SSH Host Key Fingerprint in Linux

15 SSH Best Practices Every Linux Admin Should Know

5 ways to fix ssh: connect to host port 22: Connection refused

Check Supported MAC Algorithms in SSH Client and Server

Understanding SSH StrictHostKeyChecking Option

By Author David Cao

Posted on Last updated:

Categories Linux

Fixing SSH "No Matching Host Key Type Found" Error - howtouselinux

Saturday 9th of December 2023

[…] SSH Host key and How to Fix Remote Host Key Has Changed Error […]