SSH: Host key verification failed


We’ve all been there.. slapping away at your keyboard – Perhaps hoping through an SSH tunnel, or maybe SSHing into a NAT’d virtualbox vm, and suddenly BAM!.. You’re smacked in the face by this ugly chunk of message:

$ ssh -p2222 localhost

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /Users/sudoed/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/sudoed/.ssh/known_hosts:8
RSA host key for [localhost]:2222 has changed and you have requested strict checking.
Host key verification failed.

Yup, shocking as it may seem, you have one again managed to find another server called localhost!

This happens to me all the time. I have my usual method of handeling this, but I thought I would quickly look at the other methods that might be useful.


Quick and dirty – “Double D”

This is my go-to. If it’s wrong, I don’t want to be right. Typically when I’ve been slapped in the face with this alert I am usually in an heated situation where I don’t have time to mess around.

vim ~/.ssh/known_hosts

Scroll down to the offending line. In the case listed above it starts with [localhost]:2222. And “DD” to delete the line, and :wq the hell out of there!

sed – Someday I should learn that

sed continues to become one of my most powerful tools in my box. Now lets take a look at part of the error:

    Offending RSA key in /Users/sudoed/.ssh/known_hosts:8

It actually tells you what line number the offending turd lives on… 8! So lets tell sed to edit known_hosts in-place, and delete the line:

sed -i '8d' ~/.ssh/known_hosts

Done and done!

Theres a program for that?? – ssh-keygen

Yeah, not only does ssh-keygen generate keys, but it can destroy them, too! This one is a bit too fancy for me and doubt I would ever remember to use it in the heat of battle.

The command is simple:

ssh-keygen -R hostname [-f known_hosts_file]

So in the above situation we would run this:

ssh-keygen -R [localhost]:2222


Like I always say about linux, there are many ways to skin a cat. Every one of these options simply removes a line from a file.

This is one other solution, which I don’t recommend due to security concerns, and that’s ignoring the problem all together:

Host key? What host key?

Remember, I do not recommend this. I’m only mentioning it because I like to fully research stuff and cover all grounds – But this option basically throws out everything that SSH stands for and allows you to connect to any host without any sort of verification.

$ ssh -p2222 -o 'StrictHostKeyChecking no' sudoed@localhost

This simply tells ssh not to verify the host key. This MIGHT be okay for a one-off to your local virtualbox VM, but please do not add this option to your ssh_config file! If you do, you should be punched.

Andrew Martin
Lead BI Infrastructure Architect


comments powered by Disqus