When connecting a server first time using ssh, what happens in the background?
The first time you connect to a server, the server will ask you to confirm if you are connected to the correct system. The example below uses ssh command to connect to remote named host03:
# ssh host03
The authenticity of host ‘host 03 (192.0.2.103)’ can’t be established. ECDSA key fingerprint is …
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘host03, 192.0.2.103’ (ECDSA) to the list of unknown hosts
One of the major features of OpenSSH is host validation. It checks to ensure that you are connecting to the host that you know you are connecting to. Once you validate by answering yes, the client will append the server’s public host key to the user’s ~/.ssh/known_hosts file, creating ~/.ssh directory. Hence, when you connect to the remote server again, it will compare the mentioned key to the one that the server will supply. If they match, you will no longer be asked or verify.
What causes host key verification failed error?
You will receive a warning whenever someone would try to trick you into logging into a machine for them to be able to spy on your SSH session. You will receive a notification such as the following:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
dd:cf:50:31:7a:78:93:13:dd:99:67:c2:a2:19:22:13.
Please contact your system administrator.
Add correct host key in /home/user01/.ssh/known_hosts to get rid of this message.
Offending key in /home/lcz/.ssh/known_hosts:7
RSA host key for 192.168.219.149 has changed and you have requested strict checking.
Host key verification failed.
If you get this message, we suggest that you stop what you are doing and try to check and determine if there is a reason why your remote server’s host key is about to change. This could be that your SSH was upgraded or the server itself could be upgraded. However, if these are not the reasons or there is no good reason for your host key to change, we recommend for you not to connect to that machine until you have resolved the situation.
How to correct the “host key verification failed” error
Method 1 – remove old key manually
- The old keys are stored in ~/.ssh/known_hosts on the source server.
- If you know the reason why the SSH server has a different key, edit the file known_hosts.
- Remove the no longer valid key entry.
- Remove the entry in the file of a specific user for destination server.
Example: for destination server 192.168.219.140 from file/home/user01/.ssh/known_hosts.
# vim /home/user01/.ssh/known_hosts
172.104.9.113 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLrY91bQOihgFZQ2Ay9KiBG0rg51/YxJAK7dvAIopRaWzFEEis3fQJiYZNLzLgQtlz6pIe2tj9m/Za33W6WirN8=
192.168.219.148 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=
192.168.219.149 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=
Delete:
192.168.219.148 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=
192.168.219.149 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=
Method 2 – remove old key using ssh-keygen command
You could do this by using the syntax command:
$ ssh-keygen –R [hostname|IP address]
In this case, we will use the IP address to delete the old key.
$ ssh-keygen -R 192.168.219.149
# Host 192.168.219.149 found: line 3
/home/user01/.ssh/known_hosts updated.
Original contents retained as /home/user01/.ssh/known_hosts.old
Take in mind that if you do not know why your SSH have a different key, it could be that your known_hosts file is not correct or someone is trying to check your server and network connections.
Verify
If you are being asked to confirm your remote servers to add new key to your ~/.ssh/known_host file, this means that once you confirm you will successfully remove your old key. Once you have confirmed this request, your source machine will add the new key into your ~/.ssh/known_host file.
$ ssh root@192.168.219.149
The authenticity of host ‘192.168.219.149 (192.168.219.149)’ can’t be established.
ECDSA key fingerprint is SHA256:V+iGp3gwSlnpbtYv4Niq6tcMMSZivSnYWQIaJnUvHb4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.219.149’ (ECDSA) to the list of known hosts.
