SSH host key verification failed

You receive an SSH remote host identification has changed message and host key verification failed when trying to connect through SSH to a computer you successfully connected to in the past. This documents how to remove the offending key to connect successfully.

Symptoms

When trying to connect via SSH to a remote computer, and strict host key checking is enabled, you will receive a warning followed by a failure message when you try to connect:

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
Host key verification failed

SSH Connection Error

Environment

  • SSH client
  • Linux
  • Mac OSX
  • Windows

Cause

There are a few reasons why you may receive this error when trying to SSH into a computer you have successfully logged into on previous occassions. Here are the two most common if you've successfully connected to the machine in the past:

  • The machine has been re-installed with the same hostname, but the original keys were not restored. Since new keys were created when the machine was re-installed, they will not match the old ones in your known_hosts file.
  • The machine you are trying to connect to, has been moved to a different DNS name or IP address.

Resolution

You will need to remove/delete the old RSA key from where it is stored on your local computer.

Deleting the entry with vim in Linux or Mac

You will need to delete the old entry for the destination computer in your known_hosts file, which resides in the hidden .ssh folder under your home directory on the computer you are trying to start the SSH connection from. (You will either need to be logged in as the individual user, or su to the root account to access the known_hosts file in that user's .ssh folder under their home directory.)

  1. Open up a terminal session.
  2. Change to the hidden .ssh folder in the home directory of the user account trying to ssh: cd ~/.ssh/
  3. Edit the file: vim known_hosts
  4. Using the down arrow key, scroll down until you find the line that begins with the computer name or IP address that you are trying to SSH into.
  5. With your cursor on that line, press the d key twice which should delete the entire line.
  6. Press Esc, then :wq, then Enter.
  7. Now you should be able to try the session again, and you will be prompted to add the new key to the cache.

Alternate one line command way to delete entry with ssh-keygen command on Linux or Mac

  • You need to be logged in as the user whom the ssh command is failing for.
  • This command will create a backup copy of the known_hosts file with the .old extension (known_hosts.old).
  • You can delete either the entry for a hostname or an IP address using this command.

To do so:

  1. Open up a terminal session, and type one of the following, (depending on the method you were trying to SSH with and receiving the error):
    • ssh-keygen -R machine.example.lsa.umich.edu
    • ssh-keygen -R ipaddress
  2. Now you should be able to try the session again, and you will be prompted to add the new key to the cache.

Windows

One of the most popular SSH clients is PuTTY. PuTTY stores the SSH keys in the registry. You will need an administrator account to use regedit.

To clear old PuTTY RSA keys from the Windows registry, do the following:

  1. Click the Start button and type regedit in the search box. You may need to click ‘Yes‘ when User Account Control dialog is prompted.
  2. Navigate to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.
  3. PuTTY’s cache of host keys will be listed. The Name column shows the cache of keys corresponding to various servers, in the format algo@port:host.
  4. Scroll down to find the existing key corresponding to the the machine you are having errors connecting to.
  5. Right click the key name and select Delete to remove the row corresponding to the computer.
  6. Now you should be able to try the session again, and PuTTY will prompt you to add the new key to PuTTY's cache.

Additional notes

Details

Article ID: 1779
Created
Wed 5/27/20 10:58 AM
Modified
Mon 8/31/20 9:22 AM