Introduction
At some point in time, it could happen that you have this error while you're trying to connect to the remote host using SSH.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Please contact your system administrator.
Add correct host key in /home/maja/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/maja/.ssh/known_hosts:13 ECDSA host key
for 192.167.0.24 has changed and you have requested strict checking.
Host key verification failed.So, what exactly happens here? During your first connection to the remote host using SSH, you're being asked to solve the authenticity issue connected to that host. Since there was no previous connection, your system asks you if you're sure that this connection is what you really want to do. The system will ask you to approve this connection with the following message:
$ ssh remote.host
The authenticity of host 'remote.host (host.ip)' can't be established.
ECDSA key fingerprint is SHA256:wrwr/wer/er/weredetgh.
Are you sure you want to continue connecting (yes/no)? Afterward, it will add a fingerprint of the host's ECDSA key to the known_hosts file. After that, during every connection ECDSA fingerprints will be compared and if they are the same, you'll be able to connect to the remote hosts. If fingerprints do not match, you'll get the error we're discussing here.
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! issue
But, sometimes, for some reason, it could happen that remote host changes its ECDSA key. This could happen for a few reasons, one example would be that you're not connecting to the host you wanted - some other machine took the IP of machine you wanted to connect to. If this is the case, this error is intended to warn you that you're not connecting to the same machine. There is a sort of attack called "man-in-the-middle attack" (mentioned in the error) where this other machine is malicious and is recording data you're entering while you're thinking that you're connected to the right machine.
Another example that happened to me was that I made the first connection to my remote Raspberry PI while it was on one OS. Then I installed another OS on it's SD card and when I tried to SSH to it, I was not able to because of the error above.
How to solve this issue?
The main issue here is that fingerprints do not match. You could contact the admin of the server you're connecting to check if something about the machine changed. If you're sure it's safe to connect to it, then the only thing it's left is to remove the previous fingerprint from known_hosts file so you're able to add a new one for the same IP.
There are two ways to solve this:
- You could follow instructions you got in the error message and manually remove the fingerprint from the known_hosts file. In my case, the fingerprint is stored on line 13 in the known_hosts file, as the error indicated.
...Offending ECDSA key in /home/maja/.ssh/known_hosts:13...- Another way would be to use ssh-keygen -R (remove) command to achieve this.
ssh-keygen -R [ip.or.hostname]In my case it would be:
ssh-keygen -R 192.168.0.24And that's it, the first time you would be prompted to confirm adding new ECDSA key fingerprint to my known_hosts file and after that, you'll be able to normally connect every time.