You are here

Regenerating/renewing the SSH key for a known host which has been reinstalled

Submitted by Druss on Sat, 2014-08-30 14:25

I ran into the following spiel when I attempted to SSH to a host just now:

$ ssh
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /var/foo/.ssh/known_hosts to get rid of this message.
Offending key in /var/foo/.ssh/known_hosts:6
RSA host key for has changed and you have requested strict checking.
Host key verification failed.

Very scary. But what had happened was that the host had been reinstalled and this effectively also changed its SSH keys. The fix is, as the message notes, to add the correct host key and remove the offending key from the .ssh/known_hosts file. SSH also helpfully provides the line number (number 6 in the excerpt above) of the entry for the offending key as there is no way to identify it otherwise.

While this will work fine, the solution is a little icky. A neater alternative would be nice and unsurprisingly, exists. Simply type:

ssh-keygen -R

This will remove the entry for from the known_hosts file. Clean and hassle-free :)

Sometimes, you might also need to repeat the process for the host's IP address (in case you have SSH'd in using it). In that case, you might additionally want to remove the entry for the IP as well:

ssh-keygen -R

Hope this helps!

Yet another solution, however, one that is not recommended is to disabled the strict checking that SSH is configured with by default. This can be done on the go using something like: ssh -o Stricthostkeychecking=no

You can disable this permanently by editing /etc/ssh/ssh_config and setting StrictHostKeyChecking to no. However, this will avoid checking the key for ALL hosts. A better solution would be to edit/create the .ssh/config file in your own home directory and adding something like:

   StrictHostKeyChecking no

This will only disable the strict key checking for the single host,