315
85
I'm trying to setup password-less SSH on an Ubuntu server with ssh-copy-id myuser@myserver, but I'm getting the error:
Warning: the ECDSA host key for 'myserver' differs from the key for the IP address '192.168.1.123'
What's causing this, and how do I fix it? I tried deleting the .ssh directory on the remote machine, and running ssh-keygen -R "myserver" locally, but this doesn't resolve the error.
Cerin
Posted 2012-05-05T19:05:56.153
Reputation: 6 081
459
Remove the cached key for 192.168.1.123 on the local machine:
ssh-keygen -R 192.168.1.123
user1686
Posted 2012-05-05T19:05:56.153
Reputation: 283 655
/home/wf/.ssh/known_hosts updated. Original contents retained as /home/wf/.ssh/known_hosts.old
"Warning: Permanently added the ECDSA host key for IP address 'x.x.x.x' to the list of known hosts." is displayed.
and then it seems to work – Wolfgang Fahl – 2014-07-25T06:55:55.683
15You can update key instead of removing it. Use ssh-keyscan -t ecdsa my.server.domain >> ~/.ssh/known_hosts after that you don't need to verificate new key at first connecting to host. – Alex – 2016-07-13T10:01:19.090
2For whom don't succeed to make it work: I've had registered multiples occurrences of the same IP : 1/ the said IP address (xx.xx.xx.xx), domain (tomsihap.fr), provider's given vps server address (vpsxxx.ovh.net). ssh-keygen -R for each of these did the work. – tomsihap – 2016-12-17T23:02:34.810
Worked for me, but the confusion might be from which host should this command be run? The answer is from the one that exhibited the error. The second question and answer are more obvious, but just in case: which address to pass to ssh-keygen -R? The address that figures in the error statement. – Russ Bateman – 2017-10-27T00:27:11.410
In case this doesn't cut it, and ssh 192.168.1.123 displays the warning but doesn't show the offending line number in known_hosts, you can do ssh -v 192.168.1.123 2>&1 | grep known, then you can e.g. sed -i.orig 42d ~/.ssh/known_hosts to delete line 42 (or whatever it was) – unhammer – 2018-03-11T13:19:08.507
Thanks, It worked for me! In my case I did a Rebuild in my Droplet at DigitalOcean. – rochasdv – 2018-05-16T16:38:05.783
14Didn't work for me on newly install Debian server at work when SSHing in from home. Also, answer is pretty terse. – Chris K – 2014-01-16T07:29:21.597
69
In my case ssh-keygen -R ... didn't fix the warning. I had extra information like this:
Offending key for IP in /home/myuser/.ssh/known_hosts:8
Matching host key in /home/myuser/.ssh/known_hosts:24
I simply manually edited ~/.ssh/known_hosts and deleted line 8 (the "offending key"). I tried reconnecting, the host was permanently added, and everything was fine after that!
aardvarkk
Posted 2012-05-05T19:05:56.153
Reputation: 1 217
2Works like a charm. Can fix this in one line with sed -e '8d' /home/myuser/.ssh/known_hosts, replacing the line number 8 and the filename with those displayed on your system. – Alex P. Miller – 2017-06-22T14:57:02.130
My issue with this approach was that it's a bit confusing if the known_hosts:8 refers to a zero-indexed value or not. Good to know that it's a 1:1 mapping... – Daniel F – 2019-02-18T16:14:32.433
I noticed this happens if you use a non-standard port like 2022. In that case, you need to do ssh-keygen -R [hostname]:2022 – Alexander Malfait – 2019-07-10T14:55:17.563
If I delete ~/.ssh/known_hosts, I get the message that the authenticity can't be established and "Are you sure you want to continue connecting". Answering "yes" tries and fails to connect. If I try to connect a 2nd time, I get the same ECDSA host key error I started with. – Aaron Franke – 2019-10-10T20:12:10.750
19
I do lots of ssh-ing around between my LAN computers and my two webhosting accounts, so I've sorted out all kinds of odds and ends with SSH, including authentication problems using ssh -v to see where and what went wrong.
Having just resolved this issue and not being happy with the answers, I wanted to really know "why" myself...
The trigger for my case is: installed new server OS at work and upon installing openssh-server package, a new set of host keys were generated on work's server. Previously, all of my server OSs were Ubuntu and this time it changed to Debian (and I suspect there is a nuanced difference in permissions).
When all OSs were Ubuntu and I reinstall a server's OS, upon the first SSH in to it, I get this kind of warning, which I prefer over the silent warning above!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
06:ea:f1:f8:db:75:5c:0c:af:15:d7:99:2d:ef:08:2a.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:4
RSA host key for domain.com has changed and you have requested strict checking.
Host key verification failed.
Then I open up ~/.ssh/known_hosts on the computer initiating the ssh, delete that line, reconnect and this happens:
chris@home ~ $ ssh work
The authenticity of host '[work]:11122 ([99.85.243.208]:11122)' can't be established.
ECDSA key fingerprint is 56:6d:13:be:fe:a0:29:ca:53:da:23:d6:1d:36:dd:c5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[work]:11122 ([99.85.243.208]:11122)' (ECDSA) to the list of known hosts.
Linux rock 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64
That bit about :11122 is the port number I route SSH from on the firewall
I checked backups from a former Ubuntu server and diff'd against my new Debian install:
Ubuntu: Debian:
# Package generated configuration file # Package generated configuration file
# See the sshd(8) manpage for details # See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for # What ports, IPs and protocols we listen for
Port 22 Port 22
# Use these options to restrict which interface # Use these options to restrict which interfaces
#ListenAddress :: #ListenAddress ::
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
Protocol 2 Protocol 2
# HostKeys for protocol version 2 # HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_dsa_key
------------------------------------------------ HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security #Privilege Separation is turned on for security
UsePrivilegeSeparation yes UsePrivilegeSeparation yes
So yes, likely, the host started using ecdsa keys recently, which based upon Ubuntu's changes lately, I would blame on an update. Ubuntu's shift away from the rock-solid linux OS I counted on is why I installed Debian this time around.
I read a security.SE q/a on ecdsa and have already removed that line from sshd_config my new Debian server. (and ran service ssh restart)
Chris K
Posted 2012-05-05T19:05:56.153
Reputation: 923
1@ChrisK You, sir, are a boss. Thanks for the detailed, yet concise, answer. – sargas – 2016-08-12T15:46:40.540
2+1 for the nice side-by-side comparison block. Could you add a URL clariying "Ubuntu's shift away from the rock-solid linux OS" means? – bgoodr – 2014-02-09T16:43:16.253
@bgoodr it's my opinion & solely based upon setting up my own RAID fileserver several times over the past few years. :/ Crap for answer, but start googling ubuntu debian server and you'll see what I mean. – Chris K – 2014-02-10T07:00:25.790
7
The prompt occurs every time because the IP addresses change all the time when using dynamic addressing. Try to use static IP so you only have to add the key only once.
Gaurav Joseph
Posted 2012-05-05T19:05:56.153
Reputation: 1 503
1Good point, did I miss where someone mentioned dynamic ips? – Chris K – 2014-01-16T20:13:13.887
6
ssh-keygen -f "/root/.ssh/known_hosts" -R 192.168.1.123
This should replace the existing keys under known_hosts.old and create a new one. This solution worked for me in the same scenario
Jignesh Rawal
Posted 2012-05-05T19:05:56.153
Reputation: 161
4
I added the following lines to my ~/.ssh/config, thus disabling strict host checking for all .local addresses. (with DHCP address allocation, ip addresses of my local machines are always changing)
host *.local
StrictHostKeyChecking no
You still get the warning, though, which is fine by me.
KimSJ
Posted 2012-05-05T19:05:56.153
Reputation: 41
2
Are you using the same user for connecting?
If you are logged into a local PC like user John and connected to the server B like user Adolf@B and everything is OK, it does not mean that everything is OK if you are logged to local PC like user Jane and connecting to the server B like user Adolf@B.
If you want to login on server B as user Beda from PC A without password, try this command, all from PC A:
ssh-keygen -t rsa
This command generates the key and stores the key in the file. Please leave passphrase empty.
ssh Beda@B mkdir -p .ssh
This command creates the directory, if they do not already exist. Otherwise, do not print an error message.
cd ~/.ssh
This command changes the directory to your users home directory ./ssh.
cat id_rsa.pub | ssh Beda@B 'cat >> .ssh/authorized_keys'
This command prints the file id_rsa.pub (your public key) into authorized_keys on the server.
IMPORTANT: Beda is your username on the server which you are connecting, B is your server IP.
Now, you can connect to the server B without a password or passphrase:
ssh Beda@B
Petr Derian
Posted 2012-05-05T19:05:56.153
Reputation: 21
1Or just use ssh-copy-id to populate an authorized_keys file with your id_rsa.pub key without all the extra hassle. – BlakBat – 2018-08-27T11:03:24.377
1
This error kept annoying me for a long time. For some reason it made a difference whether i would do a
ssh host
or
ssh host.domain
https://askubuntu.com/questions/87449/how-to-disable-strict-host-key-checking-in-ssh
then pointed me to the option of changing the config file. See my script https://askubuntu.com/a/949731/129227 there for automating the process.
Wolfgang Fahl
Posted 2012-05-05T19:05:56.153
Reputation: 201
1Using configuration values CanonicalizeHostname and CanonicalDomains would avoid removing strict checking and would make ssh consider host and host.domain to be same. – BlakBat – 2018-11-03T15:02:07.237
1
Question: What's causing this, ...?
So the ssh server host key changed. What caused the change? It is hard to say. Here are some guesses:
Question: ... and how do I fix it?
As others have already answered, remove the cached ECDSA host key for myserver that your account has cached.
Lars Nordin
Posted 2012-05-05T19:05:56.153
Reputation: 168
2Good advice, but doesn't actually answer the question. Doesn't even TRY to answer the question. – boatcoder – 2013-04-03T14:18:58.270
1
The thread here may help.
Essentially, you want to remove both the RSA and ECDSA keys for that host, then use ssh-keyscan to put them back into your known_hosts file in a way that won't cause this conflict. It worked for me when I had the same issue.
Paul A Jungwirth
Posted 2012-05-05T19:05:56.153
Reputation: 233
0
Here is how to remove a known host fingerprint (from known_hosts file) on a Chrome OS:
Find the index of the offending host entry in the ssh output when the connection fails. For example in the line below offending index is 7:
Offending ECDSA key in /.ssh/known_hosts:7
Open the JavaScript console (CTRL+Shift+J) of Secure Shell window and type the following, replacing INDEX with the appropriate value (e.g. 7):
term_.command.removeKnownHostByIndex(INDEX);
This solution was borrowed from Leo Gaggl's Blog.
Alex Yursha
Posted 2012-05-05T19:05:56.153
Reputation: 101
0
At my side this happens due to something which I consider an ssh bug of newer (OpenSSH_7.9p1 and above) clients, when it tries to learn a more secure ecdsa server key where there already is an older rsa type key known. It then presents this misleading message!
I do not know a good fix for this, the only workaround I found is to remove all "good but old rsa keys" such that the client can re-learn the "new more secure ecdsa keys". So:
The first step is to remove all the good old RSA keys (Warning! This loses protection against MitM):
$ sed -i '/ ssh-rsa /d' ~/.ssh/known_hosts
The second step then is to re-learn all host keys, which must be done manually by connecting to each IP again using ssh.
Here is what I observe:
$ sftp test@136.243.197.100
Connected to test@136.243.197.100
sftp>
$ sftp test@valentin.hilbig.de
Connected to test@valentin.hilbig.de.
sftp>
Now try to connect to a newly introduced alias of this same already known good server:
$ sftp test@gcopy.net
Warning: the ECDSA host key for 'gcopy.net' differs from the key for the IP address '136.243.197.100'
Offending key for IP in /home/test/.ssh/known_hosts:45
Matching host key in /home/test/.ssh/known_hosts:44
Are you sure you want to continue connecting (yes/no)?
Please have a look at the IP address. It's the same IP as above! So it looks like the (good) key of the (known) IP suddenly is offending itself (it isn't, as the ssh client mixes two incompatible keys, see below).
Now we try to fix it:
$ ssh-keygen -R 136.243.197.100
# Host 136.243.197.100 found: line 45
/home/test/.ssh/known_hosts updated.
Original contents retained as /home/test/.ssh/known_hosts.old
Let's try again:
$ sftp test@gcopy.net
Warning: Permanently added the ECDSA host key for IP address '136.243.197.100' to the list of known hosts.
Connected to test@gcopy.net.
$ sftp test@valentin.hilbig.de
Warning: the RSA host key for 'valentin.hilbig.de' differs from the key for the IP address '136.243.197.100'
Offending key for IP in /home/test/.ssh/known_hosts:45
Matching host key in /home/test/.ssh/known_hosts:10
Are you sure you want to continue connecting (yes/no)?
WTF? What happened here? The new fresh key learned from the server fails again? And the problem even switched sides?!?
Nope, it's not the key, nor the server. Everything is correct!
It's the ssh client which fails to verify the correct key!
Entry 45 in known_hosts now carries a key of type ecdsa-sha2-nistp256 while the key, which was pulled from the server by the client, is of type rsa-sha2-512 (and therefor cannot match the other key!).
$ sftp -v test@valentin.hilbig.de
shows:
debug1: kex: host key algorithm: rsa-sha2-512
while
$ sftp -v test@gcopy.net
shows:
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
Apparently the
sshclient has a bug somewhere! It cannot cope with a host key existing in more than one variant! Or it falls into the trap to request an outdated variant of a key.
I really have no idea. This probably can only be fixed upstream.
But there is a manual but clumsy workaround:
You have to manually remove all traces of the old key of type rsa. The key in question is shown in the output, but it is not directly marked as the problem:
Warning: the RSA host key for 'valentin.hilbig.de' differs from the key for the IP address '136.243.197.100'
Offending key for IP in /home/test/.ssh/known_hosts:45
Matching host key in /home/test/.ssh/known_hosts:10
check:
awk 'NR==45 { print $2 }' /home/test/.ssh/known_hosts
awk 'NR==10 { print $2 }' /home/test/.ssh/known_hosts
gives
ecdsa-sha2-nistp256
ssh-rsa
So here the matching host key is the offending one and the offending key is the right one which must be kept! So let's remove the wrong (matching) one:
ssh-keygen -R valentin.hilbig.de
# Host valentin.hilbig.de found: line 10
/home/test/.ssh/known_hosts updated.
Original contents retained as /home/test/.ssh/known_hosts.old
Now check again:
$ sftp test@valentin.hilbig.de
The authenticity of host 'valentin.hilbig.de (136.243.197.100)' can't be established.
ECDSA key fingerprint is SHA256:tf7lwe10C2p1lK2UG9p//m/4sUBCpX+i9k5Ub63c6Os.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'valentin.hilbig.de' (ECDSA) to the list of known hosts.
Connected to test@valentin.hilbig.de.
sftp>
$ sftp test@gcopy.net
Connected to test@gcopy.net.
sftp>
sftp test@136.243.197.100
Connected to test@136.243.197.100.
sftp>
YAY! Problem finally gone. But with several 100 entries in .ssh/known_hosts, this "solution" really becomes a major PITA (and an Error Prone Security Nightmare on Elm Street. YMMV.)
Tino
Posted 2012-05-05T19:05:56.153
Reputation: 906
0
I fixed this on a Chromebook by uninstalling and reinstalling Secure Shell... It worked like a charm.
msersen
Posted 2012-05-05T19:05:56.153
Reputation: 1
This is overkill. See a simpler solution in my answer here. – Alex Yursha – 2017-07-24T07:57:56.870
Another similar nuclear option is to rm -f ~/.ssh/known_hosts under Linux – Tino – 2020-02-23T01:59:21.803
in my case, I change the server(ip) bind with the domain, then the
The ECDSA host key for server has changed. My way is remove the related cache string about domain in~/.ssh/known_hosts. Then the ssh works. – Ninja – 2017-07-11T03:59:10.067