Ever upgraded SSH, either due to a major patch or an operating system upgrade and run into the following?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
93:d4:93:67:fa:4e:53:7d:2c:aa:0d:4b:8e:60:4d:eb.
Please contact your system administrator.
Add correct host key in /<user home directory>/.ssh/known_hosts to get
rid of this message.
Offending key in /root/.ssh/known_hosts:4
RSA host key for host.example.com has changed and you have requested
strict checking.
Host key verification failed.

It used to be that the known_hosts file was human-readable, and you could simply edit it with your favorite editor, ssh to the remote host again and accept the new host key.  But now that file is encrypted, so if you have multiple entries recorded there, you cannot easily identify which one you should remove.  Enter ssh-keygen.  You can use this command to remove entries from the known_hosts file in the following way:

% ssh-keygen -R hostname

If you also added a key based on the IP address, repeat this using that address, and then re-issue your ssh command and accept the new key.  Done!

Advertisements