Fixing "Warning: Remote Host Identification Has Changed” Error

Justina

Similar to SSL (Secure Sockets Layers), SSH connection also uses dedicated keys as authentication. When you connect to a server via Secure Shell (SSH), it gets a fingerprint for the ECDSA key. This key is saved on your computer and then used the next time you try to establish such a connection with your server. Such an aspect makes sure the connection between your machine and server is secure.

If the SSH client thinks those fingerprints are different from what it understands to be correct, it returns the error “Warning: Remote host identification has changed” at the point of the login:

The error message references a known_hosts file. This file is a list of SSH remote hosts known to the computer. It’s used as a reference client file for the authentication process.

Connecting to the server the first time you should get a confirmation, asking whether you want to connect. If you agree, the fingerprint for the ECDSA key is saved on the mentioned file.

But there are situations when the server's ECDSA key has changed since you last connected to it. This could mean that you're connecting to a different server without knowing it. If this new server is malicious then it can view all data sent to and from your connection, which is called a man-in-the-middle attack.

But that's not necessarily the case and there are different reasons for the ECDSA key fingerprint to change for a server, for example:

• OS re-installation;
• the server IP has changed and you have "CheckHostIP yes" in your config;
• you have connected to the same server using a different hostname.

There are other reasons but if you receive an error after making some of the mentioned changes to the server and you are sure they are causing the issue, you can fix the issue by the suggested recommendations.

Linux and macOS

The most simple solution in such systems is to use the ssh-keygen utility to delete the offending key from your known_hosts file. This can be done with the following command:

ssh-keygen -R [hostname-or-IP]

As mentioned, ECDSA key fingerprints are stored in the file known_hosts. In the error, you will see the line on that file is indicated.

That’s where the key for that server is stored (in the above case it's line number five). You can remove the key manually by opening a file with your preferred text redactor:

nano /home/iv/.ssh/known_hosts

Also, in the warning, the full command which needs to be executed is provided as well, that will remove the old key:

In the above-mentioned case, the command is:

ssh-keygen -f "/home/iv/.ssh/known_hosts" -R "[hostname-or-IP]"

Windows

By default, Windows does not support SSH connections. To establish one, you would need to use some SSH client.

PuTTY

If you are using PuTTY, you will get a warning but you will have the option to proceed:

If you know the reason for the key mismatch, click Yes.

Another way to remove the fingerprint key when using PuTTY is via Registry. To open it, type an app’s name Regedit in the Windows search bar.

Find the following destination:

HKEY_CURRENT_USER/Software/SimonTatham/PuTTY/SshHostKeys/

Saved connections on your computer will be listed here. You need to find the one that is causing an issue logging in and delete it.

OpenSSH

If you are using OpenSSH as an SSH client on Windows, you can remove the key by navigating to the .ssh folder. To find its location, enter %USERPROFILE% in the Windows search bar.

In .ssh folder find and open a file known_hosts.

Open the file and delete the key that has been causing trouble to log in.