Elegant way to remove offending key from known hosts —13 May 2014
This should look familiar:
$ ssh mars
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
67:7e:21:58:e4:12:eb:d4:3c:22:45:69:f5:08:63:ee.
Please contact your system administrator.
Add correct host key in /home/jack/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/jack/.ssh/known_hosts:17
RSA host key for example.com has changed and you have requested strict checking.
Host key verification failed.
Let’s assume you know for a fact it’s not really a man in the middle attack. For example your sysadmin told you yesterday that they installed a new SSL certifate on your server “mars”. Here are some solutions, in increasing order of elegance and awesomeness:
-
Fire up your text editor, find line 17, delete it, save the file (booo!)
-
Fire up
vim ~/.ssh/known_hosts, press17Gto jump to line 17, pressddto delete the line, press:wqto save and exit (yeah, rockin’!) -
Fire up
vim +17 ~/.ssh/known_hosts, pressddand then:wq -
Run
vim +17d +wq ~/.ssh/known_hosts, jobs done -
Run
ssh-keygen -R example.com, jobs done
The last one is the best, but I don’t like that it’s so unintuitive. What’s this to do with generating keys!
Notice that in the ssh-keygen -R servername command you cannot use the SSH alias name, like I did ssh mars in the beginning.
You have to type the server name as it is written near the end of the error message, example.com in this example.
Since it’s unintuitive, it’s not easy to remember. Hence this blog post ;-)