Dealing with SSH Host Key Changes
The CAT periodically updates the SSH host keys on its servers for security purposes, which can result in users seeing an error message similar to below when attempting to connect with an MCECS Linux system.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:g38Q4Xc1UI4WcClY+GaohmhZSOHbgLo6+eYBFr0Iu6U.
Please contact your system administrator.
Add correct host key in /Users/me/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/me/.ssh/known_hosts:10
RSA host key for rita.cecs.pdx.edu has changed and you have requested strict checking.
Host key verification failed.If you are unable to get past this error message, you will need to remove the old host key entry inside the known_hosts file.
In the example above, the message indicates that there is an entry for the server rita.cecs.pdx.edu located on line 10 of the known_hosts file that needs to be removed. These two lines give us the relevant information.
Offending RSA key in /Users/me/.ssh/known_hosts:10
RSA host key for rita.cecs.pdx.edu has changed and you have requested strict checking.With these two pieces of information, you can choose one of several methods to edit the known_hosts file and get connected with our systems again.
Table of Contents
MacOS, Linux, and MobaXterm Users on Windows
Method 1: ssh-keygen command
From the command line, you can delete the old host key entry with the following command. Make sure to replace $hostname with the system you are trying to connect with.
ssh-keygen -R $hostnameFor the example up above, you would run the command ssh-keygen -R rita.cecs.pdx.edu to delete the entry for rita.cecs.pdx.edu.
Method 2: edit known_hosts directly
Using a text editor like vim or emacs, you can edit the known_hosts file and delete the old host key. For example, if you wanted to use vim, you would run the following command:
vim ~/.ssh/known_hostsYou would then delete the line containing the old host key. In the example up above, the key for rita.cecs.pdx.edu is on line 10.
Method 3: delete known_hosts
If all else fails, you can delete your known_hosts file. As a precaution, you should make a copy of the file before deleting it with the following command:
cp ~/.ssh/known_hosts ~/.ssh/known_hosts.oldThen run the following command to delete the file:
rm ~/.ssh/known_hostsGenerally the CAT upgrades SSH keys on all of its systems at the same time. For users of that connect with multiple MCECS Linux systems, this may result in them seeing the host key error message repeatedly. In this case, it may be preferable to delete the known_hosts file and start from scratch.
MobaXterm users can also access their known_hosts file through File Explorer. By default, it will be in Documents\MobaXterm\home\.ssh
PuTTY users on Windows
If you are using PuTTY on Windows, you will need to use the Registry Editor to delete old SSH host keys.
First, search for Registry Editor or regedit in the Windows search box and then open the application
Next, navigate to HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostKeys to find the list of SSH host keys
Right click on the old entry and select Delete
