How to fix: “ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!”
An example of one of these checks is the following, which identifies when the fingerprint of a server has changed:
When you connect to a server via SSH, it gets a fingerprint for the ECDSA key, which it then saves to your home directory under ~/.ssh/known_hosts. This is done after first connecting to the server, and will prompt you with a message like this:
If you enter ‘yes’, then the fingerprint is saved to the known_hosts file, which SSH then consults every time you connect to that server.
But what happens if a server’s ECDSA key has changed since you last connected to it? This is alarming because it could actually mean that you’re connecting to a different server without knowing it. If this new server is malicious then it would be able to view all data sent to and from your connection, which could be used by whoever set up the server. This is called a man-in-the-middle attack. This scenario is exactly what the “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!” message is trying to warn you about.
Fixing the issue
Manually Resolve via known_hosts
- In the warning message find the line that tells you where the offending ECDSA key is located in the
known_hostsfile. In my example this line said "Offending ECDSA key in /Users/James/.ssh/known_hosts:14", which refers to line 14. - Open the
known_hostsfile specified in the warning message - Delete the line specified in the warning message
By deleting this line, your SSH client won’t have an ECDSA key fingerprint to compare to, and thus will ask you again to verify the authenticity of the server the next time you connect. Once done, you’ll have a new fingerprint in our known_hosts file for this server, and the warning will be gone.
Resolve using ssh-keygen
Another solution would be to use the ssh-keygen utility to delete the offending key from your known_hosts file, which can be done with the following command:
$ ssh-keygen -R [hostname-or-IP]So in my example I’d use it like this:
$ ssh-keygen -R ec2-192-168-1-1.compute-1.amazonaws.comThis method is good if you don’t want to manually alter the known_hosts file yourself, and the utility is easier to use if you have multiple hostnames and IP addresses to fix. It can also handle hashed hostnames in a known_hosts.old file.