SSH and RSA key warnings after a server reinstall

Every server with SSH capabilities has a unique RSA key fingerprint. When a server is reinstalled this key is changed. When you attempt to connect to the server using SSH, you will see a warning similar to the following message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!                                                    
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99:00.
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/username/.ssh/known_hosts:24
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Agent forwarding is disabled to avoid man-in-the-middle attacks.

This warning sounds much more dire than the issue is. In most cases, the only thing that happened is just a change to the server hardware. Use one of the following methods to prevent this message from recurring:

Remove the original host key using ssh-keygen.

Run the following command to remove the RSA fingerprint for the previous hardware:

ssh-keygen -R [hostname]

where [hostname] is the hostname for your previous server.

Edit or remove the known_hosts file.

On a Linux based system, you can edit the file ~/.ssh/known_hosts and remove the old server key.

Once this is done, you can SSH into the server without the warning message coming up.


Last modified: November 07 2017 19:17:05