"Add correct host key in known_hosts" / multiple ssh host keys per hostname?

Question

Trying to ssh into a computer I control, I'm getting the familiar message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
[...].
Please contact your system administrator.
Add correct host key in /home/sward/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/sward/.ssh/known_hosts:86
RSA host key for [...] has changed and you have requested strict checking.
Host key verification failed.

I did indeed change the key. And I read a few dozen postings saying that the way to resolve this problem is by deleting the old key from the known_hosts file.

But what I would like is to have ssh accept both the old key and the new key. The language in the error message ("Add correct host key") suggests that there should be some way to add the correct host key without removing the old one.

I have not been able to figure out how to add the new host key without removing the old one.

Is this possible, or is the error message just extremely misleading?

Answer 1

1. get the rsa key of your server, where server_ip is your server's IP address, such as 192.168.2.1:

   $ ssh-keyscan -t rsa server_ip
   

   Sample response:

   # server_ip SSH-2.0-OpenSSH_4.3
   server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwH5EXZG...
   

2. and on the client, copy the entire response line server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwH5EXZG..., and add this key to the bottom of your ~/.ssh/known_hosts file:

   server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqx9m529...(the offending key, and/or the very bottom of the `known_hosts` file)
   server_ip ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwH5EXZG... (line you're adding, copied and pasted from above)
   

Answer 2

Remove that the entry from known_hosts using:

ssh-keygen -R *ip_address_or_hostname*

This will remove the problematic IP or hostname from known_hosts file and try to connect again.

From the man pages:

-R hostname
Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts (see the -H option above).

Answer 3

A very simple way is:

cp ~/.ssh/known_hosts ~/.ssh/known_hosts.bak

Then edit known_hosts to clear the original key and SSH to the host again. It'll add the new key automatically.

Next compare the two files. A program such as meld is a nice comparison tool. Then merge the files to make known_hosts contain both keys. (apt-get / yum install name is simply meld)

My 'reason' for keeping two keys is that the destination system is multiboot. Even though I dare say there's a way of synchronizing the keys across the installations, it seems more straightforward to allow multiple keys.

Edit 2015-06

Temporarily comment the known_hosts entry

Revisiting it now, I notice an even simpler way, as long as the entry is identifiable—normally from the hostname / IP address, quite aside from the error message referencing its specific location;

1. Edit known_hosts to temporarily add # at the start of the 'old' entry.
2. SSH to the host, agreeing to the prompt to add the new key 'automatically.'
3. Then re-edit known_hosts to remove the #.

Force a temporary host alias

There's even the option HostKeyAlias, as in

ssh -o HostKeyAlias=mynewaliasforthemachine name@computer

Your SSH client will add the new key under the alias. Then, you can either edit known_hosts to substitute the 'real' hostname/IP address for the alias, or connect to that incarnation of that host with the alias option evermore.

Answer 4

If both your client and server have OpenSSH 6.8 or newer, you can use the UpdateHostKeys yes option in your ssh_config or ~/.ssh/config. For example:

Host *
    UpdateHostKeys yes

This makes SSH store all host keys that the server has to known_hosts, and when a server changes or removes one host key, the key is also changed or removed in your known_hosts.

Answer 5

I have the same issue with a raspberry pi which I boot with several different systems (dev system for compiling arm binaries, project, xbmc, etc.) and have run into the same problem. They use DHCP on a local network and my router always reused the same IP since the MAC address was the same. I've solved it by using different domain names in my hosts file:

10.10.10.110 pi-dev
10.10.10.110 pi-xbmc
10.10.10.110 pi-etc

The known_hosts file saves fingerprints by host name so even though it is the same IP address, each unique host name gets a different entry.

I got sick of adding the names to hosts files every time I used a new system so I came up with an even lazier way by using leading zeros on ip addresses like:

$ ssh pi@10.10.10.110
$ ssh pi@010.10.10.110
$ ssh pi@10.010.10.110

Each variation of the (uncanonicalized) ip address gets it's own entry in known_hosts.

Answer 6

I don't see why you want to work with two keys, but you can certainly add more than one valid key to the ~/.ssh/known_hosts file, but you will have to do it manually.

Another solution might be to use the StrictHostKeyChecking=no option for this specific host:

ssh -o StrictHostKeyChecking=no user@host

which you could put into an alias in your ~/.profile or something similar.

alias hc=ssh -o StrictHostKeyChecking=no user@host

Answer 7

If you only ssh onto a local network then...

A simple solution is to wipe the old key file and replace it with a blank one. This will allow you to reauthorise all of your connections with new keys. If you have ssh keys stored for sites outside your local network, then you need to ensure that your initial connection is safe as you did the first time you connected to that server.

eg

cp known_hosts known_hosts.old
rm known_hosts
nano known_hosts

Then press space, backspace cntl+x and 'y' to save the new buffer (file). Its bad practise but okay providing you aren't regularly ssh'ing outside your local network (eg a uni or work server)

On a secure local network this is safe because you simply cant get a man in the middle attack.

Its always better to use code you understand!

Answer 8

So many answers, but so many that give up protection by turning off strict host checking totally, or destroying unrelated host info or just forcing the user to interactively accept keys, possibly at a later point, when it is unexpected.

Here's a simple technique to allow you to leave strict host checking on, but update the key in a controlled way, when you expect it to change:

• Remove the old key and update in one command

  ssh-keygen -R server.example.com && \
      ssh -o StrictHostKeyChecking=no server.example.com echo SSH host key updated.
  

• Repeat with IP address(es) or other host names if you use them.

The advantage of this approach is that it rekeys the server exactly once. Most versions of ssh-keygen seem to not return an error if the server you try to delete doesn't exist in the known hosts file, if this is a problem for you, use the two commands in sequence.

This approach also verifies connectivity and emits a nice message for logs in the ssh command (which logs in, updates the host key, and outputs SSH host key updated then immediately exits.

If your version of ssh-keygen returns a non-zero exit code, and you prefer to handle this without error, regardless or prior connection, simply use the two commands in sequence, ignoring any errors on the ssh-keygen command.

If you use this technique, you never need to vary your ssh command, or turn off host checking except during that one ssh command. You can be sure that future ssh sessions will work without conflict or needing to explicitly accept a new key, as long as the ssh command above ran without error.

Answer 9

you need to remove old key from client server

ssh-keygen -R 192.168.0.25 #1st remove on client server

then re generate key

ssh -o HostKeyAlias=192.168.0.25 root@192.168.0.25 #on client server

check new line is there

nano ~/.ssh/known_hosts

Answer 10

I had the same problem.

All I did was sudo nano /home/user/.ssh/ host_allow and erased the key.

When I ssh back to the server it added a new key.

Answer 11

Use sed command to do remove the offending line

OUTPUT: as show in above example
Offending key in /home/user/.ssh/known_hosts:86

Remove the line 86 as mentioned in known hosts.

CODE: 
sed -i '86d' /home/user/.ssh/known_hosts

Next time when accessing using ssh, system will automatically add new key.

newer versions of ssh

use:

ssh-keygen -R <hostname|ip address>

It will remove the hostname entry and take backup of old .known_host as known_hosts.old