Fixing "Warning: Remote Host Identification Has Changed” Error

Clara - VPS Hosting Team

SSH (Secure Shell) uses unique keys for authentication, similar to SSL (Secure Sockets Layer). When you connect to a server via SSH, it generates a fingerprint for the ECDSA key, which is stored on your computer. This stored key is used for future connections to verify the server's identity and ensure a secure connection.

If the SSH client detects that the server’s fingerprint has changed, it displays the error message “Warning: Remote host identification has changed” during login. This error refers to the known_hosts file, which maintains a list of known SSH remote hosts and their associated keys for authentication purposes.

When connecting to a server for the first time, you will be prompted to confirm the connection. If you accept, the ECDSA key fingerprint is saved in the known_hosts file. However, if the server's ECDSA key changes, it could indicate that you might be connecting to a different server—potentially a malicious one capable of intercepting your data in a man-in-the-middle attack.

There are legitimate reasons for the ECDSA key fingerprint to change, including:

1. Operating system reinstallation

2. Changes to the server IP address, especially if "CheckHostIP yes" is configured

3.Connecting to the same server using a different hostname

To resolve this issue, follow these steps based on your operating system:

Linux and macOS

The simplest solution on these systems is to use the ssh-keygen utility to remove the problematic key from your known_hosts file. Execute the following command:

ssh-keygen -R [hostname-or-IP]

As mentioned, ECDSA key fingerprints are stored in the file known_hosts. In the error, you will see the line on that file is indicated.

The known_hosts file contains ECDSA key fingerprints, and the error message will indicate the line number where the old key is stored. You can manually remove the key by editing the file with a text editor:

nano /home/your_username/.ssh/known_hosts

Also, in the warning, the full command which needs to be executed is provided as well, that will remove the old key:

Alternatively, use the full command provided in the error message:

ssh-keygen -f "/home/your_username/.ssh/known_hosts" -R "[hostname-or-IP]"

Windows

By default, Windows does not include SSH support. You will need to use an SSH client such as PuTTY or OpenSSH.

PuTTY

If you are using PuTTY, you will get a warning but you will have the option to proceed:

If you know the reason for the key mismatch, click Yes.

Another way to remove the fingerprint key when using PuTTY is via Registry. To open it, type an app’s name Regedit in the Windows search bar.

Find the following destination:

Saved connections on your computer will be listed here. You need to find the one that is causing an issue logging in and delete it.

OpenSSH

If you are using OpenSSH as an SSH client on Windows, you can remove the key by navigating to the .ssh folder. To find its location, enter %USERPROFILE% in the Windows search bar.

In .ssh folder find and open a file known_hosts.

Open the file and delete the key that has been causing trouble to log in.