While connecting to a remote server using ssh, if you get an error “Host key verification failed,”, here are steps to resolve the issue.
What is a Host Key in SSH?
A Host key is a unique identifier that is used to verify the identity of a remote host. When you connect to a remote host, the Host key is verified against a list of known Host keys. If there is a match, the connection will be allowed to proceed. If there is not a match, the connection will be denied.
The Host key is also used to generate a cryptographic signature for each connection. This signature is used to verify the integrity of the data that is transferred between the client and server.
Understanding error message Host key verification failed
If you receive the error message Host key verification failed, it means that the key stored for the host you’re trying to connect to has changed. It is often caused by connecting to a different server than the one you originally connected to. In case your server has been rebuilt by a new one, then you would get this error, or in case your IP has been reassigned to another server.
Whenever we connect to a server via SSH, that server’s public key is stored in our home directory. The file is called known_hosts.
This file is local to the user account and contains the known keys for remote hosts. These are collected from the hosts when connecting for the first time.
As with those keys stored in the file, ~/.ssh/known_hosts, these keys are used to verify the identity of the remote host, thus protecting against impersonation or man-in-the-middle attacks.
When we reconnect to the same server, the SSH connection will verify the current public key matches the one we have saved in our known_hosts file. If there is a match, the connection will proceed. If the match fails, SSH will fail with an error message Host key verification failed happens.
Example of Host key verification failed
PS C:\Users\suyash.sambhare\.ssh> ssh suyi@10.11.60.217
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:YjbchgeBjGz9bYAnNPFRoiSTQAuwVMsu8sOwhtLWIwQ.
Please contact your system administrator.
Add the correct host key in C:\\Users\\suyash.sambhare/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\suyash.sambhare/.ssh/known_hosts:6
The host key for 10.11.60.217 has changed and you have requested strict checking.
Host key verification failed.
PS C:\Users\suyash.sambhare\.ssh>
It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is x. Please contact your system administrator.
Add the correct host key in /home/ec2-user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/ec2-user.ssh/known_hosts:222 The RSA host key for 10.11.60.217 has changed and you have requested strict checking. Host key verification failed.
Methods to fix problem of Host key verification failed
Host key verification failed error occurs when the server’s host key does not match the key that was expected. This can happen when the server’s key has been changed, or when the key has been compromised.
Here are three ways to fix this Host key verification failed error.
- Manually edit the
~/.ssh/known_hostsfile and remove the old key for the host you’re trying to connect to. This will allow you to connect to the new server without any problems. - Use the
ssh-keygen -Rcommand to remove the old key from your~/.ssh/known_hostsfile. This will allow you to connect to the new server without any problems. - Use the
-o StrictHostKeyChecking=nooption when connecting to the server. This will prevent ssh from checking the~/.ssh/known_hostsfile and will allow you to connect to the new server without any problems.
Remove old host key info from known_hosts file
The easiest way to fix the problem of Host key verification failure is to remove the old host key info and reconnect the server.
We can fix this issue with the following steps.
- Locate our
known_hostsfile - open in a general text editor with
vi /home/user/.ssh/known_hosts - search the old hostname and press
ESC ddto delete the line. - save the changes by pressing
escand typing:wq!. - reconnect the server
PS C:\Users\suyash.sambhare\.ssh> ssh suyi@10.11.60.217
The authenticity of host '10.11.60.217 (10.11.60.217)' can't be established.
ED25519 key fingerprint is SHA256:4n4TaoR2ov+hQwJEuMMMPtG0FVntCPcWCF52taw5GS4.
This host key is known by the following other names/addresses:
C:\Users\suyash.sambhare/.ssh/known_hosts:72: 10.11.56.23
C:\Users\suyash.sambhare/.ssh/known_hosts:91: 10.11.58.21
C:\Users\suyash.sambhare/.ssh/known_hosts:92: 10.11.58.22
C:\Users\suyash.sambhare/.ssh/known_hosts:93: 10.11.60.20
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.11.60.217' (ED25519) to the list of known hosts.
suyi@10.11.60.217's password:
Activate the web console with systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Mon Jan 8 12:52:18 2024 from 10.11.50.61
[suyi@suyi-lab27 ~]$
Remove old host key info with the ssh-keygen command
We can also remove the old host key with the ssh-keygen command.
Open up a terminal session, and type one of the following
-
ssh-keygen -R hostname -
ssh-keygen -R ipaddress -
ssh-keygen -f “/home/ec2-user.ssh/known_hosts” -R “192.168.0.106”
Disable SSH stricthostkeychecking option
The stricthostkeychecking option in SSH is a security feature that verifies the host key information for each connection.
If there is a problem with the host key information, the connection will not be allowed to proceed. This option can be disabled, which will allow the connection to proceed even if there is a problem with the host key information.
- Open up a terminal window.
- Type in the following command:
ssh -o StrictHostKeyChecking=no hostname
This command removes the old host key for the device in the known_hosts file and replaces the old host key with the new host key.
Ref: https://www.howtouselinux.com/post/fix-host-key-verification-failed
Top comments (0)