Dealing with SSH Host Key Changes

The CAT periodically updates the SSH host keys on its servers for security purposes, which can result in users seeing an error message similar to below when attempting to connect with an MCECS Linux system.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:g38Q4Xc1UI4WcClY+GaohmhZSOHbgLo6+eYBFr0Iu6U.
Please contact your system administrator.
Add correct host key in /Users/me/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/me/.ssh/known_hosts:10
RSA host key for rita.cecs.pdx.edu has changed and you have requested strict checking.
Host key verification failed.

If you are unable to get past this error message, you will need to remove the old host key entry inside the known_hosts file.

In the example above, the message indicates that there is an entry for the server rita.cecs.pdx.edu located on line 10 of the known_hosts file that needs to be removed. These two lines give us the relevant information.

Offending RSA key in /Users/me/.ssh/known_hosts:10
RSA host key for rita.cecs.pdx.edu has changed and you have requested strict checking.

With these two pieces of information, you can choose one of several methods to edit the known_hosts file and get connected with our systems again.

Table of Contents

MacOS, Linux, and MobaXterm Users on Windows

Method 1: ssh-keygen command

From the command line, you can delete the old host key entry with the following command. Make sure to replace $hostname with the system you are trying to connect with.

ssh-keygen -R $hostname

For the example up above, you would run the command ssh-keygen -R rita.cecs.pdx.edu to delete the entry for rita.cecs.pdx.edu.

Method 2: edit known_hosts directly

Using a text editor like vim or emacs, you can edit the known_hosts file and delete the old host key. For example, if you wanted to use vim, you would run the following command:

vim ~/.ssh/known_hosts

You would then delete the line containing the old host key. In the example up above, the key for rita.cecs.pdx.edu is on line 10.

Method 3: delete known_hosts

If all else fails, you can delete your known_hosts file. As a precaution, you should make a copy of the file before deleting it with the following command:

cp ~/.ssh/known_hosts ~/.ssh/known_hosts.old

Then run the following command to delete the file:

rm ~/.ssh/known_hosts

Generally the CAT upgrades SSH keys on all of its systems at the same time. For users of that connect with multiple MCECS Linux systems, this may result in them seeing the host key error message repeatedly. In this case, it may be preferable to delete the known_hosts file and start from scratch.

MobaXterm users can also access their known_hosts file through File Explorer. By default, it will be in Documents\MobaXterm\home\.ssh

PuTTY users on Windows

If you are using PuTTY on Windows, you will need to use the Registry Editor to delete old SSH host keys.

First, search for Registry Editor or regedit in the Windows search box and then open the application

Searching for Registry Editor application through the Windows search box

Next, navigate to HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostKeys to find the list of SSH host keys

Registry Editor navigated to the Putty SSH host key location

Right click on the old entry and select Delete

Deleting the old SSH host key registry entry