SSH known_hosts issues


  • Applies to: All Service Types
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH

Introducton

READ ME FIRST

This article is provided as a courtesy. Installing, configuring, and troubleshooting third-party applications is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

When a domain has been moved from one server to another an issue with SSH logins may occur. The warning dialog that most SSH programs give looks something like this:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
06:ea:f1:f8:db:75:5c:0c:af:15:d7:99:2d:ef:08:2a.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:4
RSA host key for domain.com has changed and you have requested strict checking.
Host key verification failed.

The SSH program will print this message and often exit, prohibiting the user from connecting to the suspicious site. This problem arises when a site has changed servers, and the new server RSA key which is transmitted when authenticating is different from the old server.

Solution

In the case of a migration, you can be reasonably sure that the RSA key change is not an accident, but to connect to the new server you must remove the line in .ssh/known_hosts that corresponds to your domain name. This can be done by editing 'known_hosts' by hand or if your machine has Perl installed you can use this one liner:

perl -p -i -e 's/^example.com.*n//;' ~/.ssh/known_hosts

Substitute your actual domain for example.com making sure to include a backslash before the dot. If you have several domains that have moved you must repeat this step for each one.

NOTE:

You may also be able to remove the exact known host with the following command via ssh on your local machine. Remember to replace example.com with your own domain.

ssh-keygen -R example.com