Remove key from known_hosts

140

47

I built several virtual machines during the last few weeks. The problem is, the .ssh/known_hosts gives me the Man in the middle warning. This happens because another fingerprint is associated with the virtual machine IP.

In the .ssh/known_hosts file, however, I don't find the record related to the IP, only two bizarre, key-like strings and "ssh-rsa".

Does anyone have any ideas about how to remove the old key from known_hosts?

Adam Matan

Posted 2009-08-26T16:00:30.947

Reputation: 5 930

7The "bizarre, key-like strings" you refer to are the hashed hosts/ip addresses. This a security feature which helps stops an intruder from knowing which systems you have access to. If you see this then your ssh_config has HashKnownHosts yes set. – Deebster – 2014-07-12T15:03:59.477

1If you feel the file contents are too confusing, you probably have line-wrapping activated. Deactivate it. All lines start with a host name or an IP address. – Daniel B – 2018-06-28T08:01:40.160

Answers

91

sed -i '6d' ~/.ssh/known_hosts

Will modify the file ~/.ssh/known_hosts:6 , removing the 6th line.

In my opinion, using ssh-keygen -R is a better solution for an openssh power user, while your regular Linux admin would do better to keep his/her sed skills fresh by using the above method.

mikewaters

Posted 2009-08-26T16:00:30.947

Reputation: 1 323

20I don't think it's a good advice to edit a configuration file manually if you have an official application for that. Taking risks doesn't make you a pro, finding the quickest and safest option does. It's like telling people to go ahead and edit /etc/sudoers without visudo. If you want to sharpen your sed skills, go ahead and do that without messing up your system. – kraxor – 2014-06-27T11:56:25.010

2"if you have an official application for that" => both ssh-keygen -R and sed -i {line}d are pretty "official", and both will work for the foreseeable future. Util ssh-keygen allows removal by line number, both are perfectly acceptable (because, line numbers are often easier to deal with, and less error prone, than dealing with modern data center host-names). – michael – 2016-09-20T09:26:00.970

3A)The deletion of specifically the 6th line, is all very "look no hands". No explanation at all as to what is significant about the 6th line of the file?! B)Also man ssh-keygen mentions ssh-keygen -R hostname you've just said ssh-keygen -R with no hostname specified, and you haven't explained what you mean by that. – barlop – 2018-03-16T05:33:49.530

139

The simplest solution is:

rm -f .ssh/known_hosts

ssh will recreate the file again, but you lose key checking for other hosts!

Or, you can use:

ssh-keygen -R "hostname"

Or the ssh "man-in-the-middle" message should indicate which line of the known_hosts file has the offending fingerprint. Edit the file, jump to that line and delete it.

Sean Staats

Posted 2009-08-26T16:00:30.947

Reputation: 1 861

19Removing the file is a bad advice, it's like telling someone to buy a new PC because the old one has a broken mouse. Manually editing a file that can be edited by an official application is also a bad idea. The ssh-keygen option was added because of a comment, but with no explanation. I don't think this answer deserves so many upvotes. – kraxor – 2014-06-27T11:52:22.390

13-1 because of the whole "delete the whole known_hosts file" first lines. This is a terrible, terrible, terrible thing to propose, and should be edited out. – Olivier Dulac – 2015-03-09T10:35:36.757

4This solution is overkill. Just remove the offending line. That's it. – Blake Frederick – 2016-05-11T18:31:37.473

Are newest known_hosts added on the top line or bottom? – hello_there_andy – 2017-02-13T23:49:54.830

Thanks for mentioning ssh-keygen -R. I just wanted to remove a host from known_hosts for testing purposes (i.e. without that the host key changed) and this hosts entry was hashed... – Andre Holzner – 2011-05-04T09:21:31.670

Correct - the line number is somewhat shy : "Add correct host key in /home/adam/.ssh/known_hosts to get rid of this message. Offending key in /home/udi/.ssh/known_hosts:48". Removed line 48 and it worked! – Adam Matan – 2009-08-26T16:17:23.253

61ssh-keygen -R hostname will work too. – user1686 – 2009-08-26T17:14:43.247

7If we remove that file, other keys will remove too. – shgnInc – 2014-05-04T09:13:13.263

89

There is an ssh-keygen switch (-R) for this.

man ssh-keygen reads:

-R hostname

Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts (see the -H option above).

user201564

Posted 2009-08-26T16:00:30.947

Reputation: 991

Note: This will change the permissions of the known_hosts file to 0600. If you have a shared known_hosts file for any reason, this could disable the sharing of it. – Jiri Klouda – 2017-09-11T18:04:58.273

and the correct one. Also, I had to do [localhost]:port, using the brackets because I used a custom port I guess =/. Like others have said, I would also use the no SSH key-checking approach for my transient/test system development. – Pysis – 2018-10-26T12:58:46.950

This removes all ocurences so the best way. You can add new key with: ssh-keyscan -H my.ssh.server.example.com >> ~/.ssh/known_hosts; – Nux – 2019-10-16T11:08:09.520

9This is the easiest and safest method. – chicken – 2014-04-15T14:13:04.403

18

The warning will tell you the exact line in the known hosts file.

Here's an example:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for foo-bar.net has changed,
and the key for the corresponding IP address 127.0.0.1
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/user/.ssh/known_hosts:6
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

See the /home/user/.ssh/known_hosts:6 part? It specifies the file and line number.

innaM

Posted 2009-08-26T16:00:30.947

Reputation: 9 208

11

You need to run the following command to get rid of this problem. Open the terminal and type the following command:

For all examples below just replace the value after -R

ssh-keygen -R server-name
ssh-keygen -R server.ip.addre.ss
ssh-keygen -R 202.54.1.5
ssh-keygen -R server1.example.com

Tarun Gupta

Posted 2009-08-26T16:00:30.947

Reputation: 213

This method has already been suggested in the previous answers. Could you expanded upon what is different in your answer? – Burgi – 2016-05-31T08:02:46.133

@Burgi - this answer gives more detail about the syntax of ssh-keygen -R than any of the other answers so far. It show by example exactly what you can write after -R. So this answer is worthwhile, even though it is not a totally new answer. – Yitz – 2017-12-25T09:03:49.467

@Yitz My comment was made as part of review. At the time (18 months ago) I thought the question needed a little help to make it even better. – Burgi – 2017-12-25T23:01:47.097

8

You can also instruct ssh to not check the known_hosts file using the UserKnownHostsFile and StrictHostKeyChecking flags.

For instance:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@example.com

For ease of use you can alias this:

alias boldssh='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

Now you can just boldssh whenever you are sure you trust the server's certificate.

rouble

Posted 2009-08-26T16:00:30.947

Reputation: 554

9What a horrible idea. Permanently disable a layer of security just because you're too lazy keeping your ~/.ssh/known_hosts up-to-date? Why not just go ahead and use telnet? "whenever you are sure" - if you are ever sure, then you have no idea what a MITM attack is and you should probably spend some time reading some good literature. – kraxor – 2014-06-27T12:02:08.647

2Based on the OP's question I think this is a valid answer. Sometimes you have a test system that you're creating/destroying a lot of VMs on. (I'm doing this right now as I prep for the RHCE exam.) There might not be any security implications. While noting the security implications is great, I don't think this has to be labeled a "horrible idea". – Rick Chatham – 2015-10-01T19:54:13.020

related: http://superuser.com/a/1126243/73961

– michael – 2016-09-20T09:31:59.387

4

All answers are good, but for real SSH pro we have missing information how to remove ssh signature with port number.

  • Simple SSH host signature remove command:

    ssh-keygen -R example.com

  • Complex ssh key remove, e.g. you connect to ssh on non standard port 222:

    ssh example.com -p 222

and you get warning, and to remove this, you need to use square brackets colon port number:

    ssh-keygen -R [example.com]:222

Hope this helps for non-standard configuration users.

Arunas Bartisius

Posted 2009-08-26T16:00:30.947

Reputation: 895

Exactly what I've been looking for. Thank you! – aexl – 2019-10-03T12:42:05.250

1

Here is a method using Ex editor:

ex +6d -scwq ~/.ssh/known_hosts

where 6th is your line number mentioned in the warning message. Such as this one:

Offending key for IP in /home/user/.ssh/known_hosts:6 <== LINE NUMBER

In general, it's advised to use ex to edit the files non-interactively, instead of sed, which is more a Stream EDitor and its -i parameter which is a non-standard FreeBSD extension.

kenorb

Posted 2009-08-26T16:00:30.947

Reputation: 16 795

0

You can also remove a single line from known hosts with e.g. rmknownhost 111 (111 is the line to remove):

#! /usr/bin/env ruby
line = ARGV[0] || raise("gimme line to remove")
hosts = File.expand_path("~/.ssh/known_hosts")
content = File.readlines(hosts)
removed = content.delete_at line.to_i - 1
puts "Removed:\n#{removed}"
File.open(hosts, 'w'){|f| f.write content * ""}

Save this as rmknownhost in a folder from your PATH.

grosser

Posted 2009-08-26T16:00:30.947

Reputation: 355

2You could have just posted your script here instead of linking your own blog entry that you created on the day you posted this answer. This qualifies as spam IMHO. Not to mention that you could create a simple alias to achieve the same result, no need for a 7 lines long ruby script. – kraxor – 2014-06-27T12:08:32.617

What's the benefit of this over doing it in any given text editor? Is there some reason not to do it that way, like how sudoers has to be edited with visudo? – Andy Lester – 2010-06-22T16:37:22.250

1or just add this to your ~/.bashrc: sshdel() { sed -i "${@}d" ~/.ssh/known_hosts; } and call it with sshdel [line number]. no ruby, no binary, no worries. – rubynorails – 2019-09-24T17:19:54.953

What distros come with this? Ubuntu doesn't seem to have it. – flickerfly – 2013-07-19T13:54:32.613

The benefit is that it's automated and quick / it's a separate binary you add yourself – grosser – 2013-07-20T15:17:10.213

0

The entry for the host name or ip should be in the first column. The warning should also list a line number where the offending key lies.

stimms

Posted 2009-08-26T16:00:30.947

Reputation: 848

0

It is a text file. You can easily edit with vi(m) and simply delete the line in question (dd), and save the file (wq). But if there is a specific command to remove a host, that's probably the safest method.

Ryan Griggs

Posted 2009-08-26T16:00:30.947

Reputation: 682

I don't see how editing the file directly in VIM is "unsafe". It's based on your comfort level with VIM. Especially with this file, the biggest risk you have is deleting too many keys, in which case you'll just get prompted again. – Rick Chatham – 2015-10-01T19:56:21.277

The "safety" I was referring to involves 1) forgetting/not knowing to remove dependent info in other files (if any) and 2) Accidentally deleting more or less than needs to be, thus breaking the file. – Ryan Griggs – 2015-10-02T18:41:34.133

Asked: 2009-08-26T16:00:30.947

Viewed: 427 240 times

Active: 2019-10-09T18:39:03.497