SSH remote host identification has changed

SSH_ShellYou might recognise the situation when you try to login to a server via ssh and instead of the console you get the “REMOTE HOST IDENTIFICATION HAS CHANGED” warning.

Lets assume you login to like this:

$ ssh username@

Here is an example of what the warning you receive might look like:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
Offending key in /Users/username/.ssh/known_hosts:369
RSA host key for has changed and you have requested strict checking.
Host key verification failed.

What does that mean?

It is “only” a warning but hinders you in logging in to the host. This means that the host identification (fingerprint) you accepted when you logged in for the first time does not match the fingerprint on this connection attempt. As the message states, that can be a man in the middle attack, but – as in my caseĀ – this also happens when you have re-installed your server. The IP/DNS name is the same, but the fingerprint has changed. If you know this is the reason, you will need to remove the old host-key/fingerprint and then on the next login attempt accept the new fingerprint.

Possibility one

On OS X, edit the file ‘/Users/username/.ssh/known_hosts’, go to the line the message told you and delete the line (make sure it is really the right line that you delete).

Possibility two

The easier way is to just run a command which will do the editing for you. It will create a backup of the old known_hosts file as /Users/username/.ssh/known_hosts.old. Of course if you edit it twice, it will override the first backup. To do this run the following:

ssh-keygen -R

Accept the new fingerprint

Try to login now and you will see the following output asking you to accept the unknown host’s fingerprint:

The authenticity of host ' (' can't be established.
RSA key fingerprint is 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef.
Are you sure you want to continue connecting (yes/no)?

After you have accepted the new fingerprint, it is stored permanently in the known_hosts file. Unless the fingerprint changes again, ssh will not prompt you about it again.

Read more of my posts on my blog at

This entry was posted in Linux Administration, Security and tagged . Bookmark the permalink.