From the department of "I Did Not Know This" ....
Having been doing a LOT with SSH client/server connectivity this past few weeks, I'd seen a lot of this: -
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:FX2S14zf+pJ1Ye6zzuXZ43EQzuIFNEkXiH/dg64yYhk.
Please contact your system administrator.
Add correct host key in /Users/hayd/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/hayd/.ssh/known_hosts:1
ECDSA host key for 192.168.1.42 has changed and you have requested strict checking.
Host key verification failed.
Having been doing a LOT with SSH client/server connectivity this past few weeks, I'd seen a lot of this: -
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:FX2S14zf+pJ1Ye6zzuXZ43EQzuIFNEkXiH/dg64yYhk.
Please contact your system administrator.
Add correct host key in /Users/hayd/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/hayd/.ssh/known_hosts:1
ECDSA host key for 192.168.1.42 has changed and you have requested strict checking.
Host key verification failed.
mainly because I've been creating/deleting/recreating hosts ( containers running on IBM Z ) using the same IP address.
Each time I generate a new container, the unique private (host) key for the SSH daemon on the new container changes, which means that the above warning is back on ...
However, it's still a wrench to see "IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!" each and every time.
My hacky solution was to: -
- Manually edit ~/.ssh/known_hosts each and every time ...
- Delete ~/.ssh/known_hosts which is somewhat nuclear
One of my colleagues gave me a MUCH better way ...
Use the ssh-keygen command to remove ONLY the "offending" host: -
ssh-keygen -f ~/.ssh/known_hosts -R 192.168.1.42
# Host 192.168.1.42 found: line 1
/Users/hayd/.ssh/known_hosts updated.
Original contents retained as /Users/hayd/.ssh/known_hosts.old
which is WAY better.
For background, here's the Man page: -
-R hostname | [hostname]:port
Removes all keys belonging to the specified hostname (with optional port number) from a known_hosts file. This option is useful to delete hashed hosts (see the -H option above).