Wednesday, September 03, 2014

Remove Offending Host Key From known_hosts File

If you are managing a whole mess of servers, you may have occasions where the host key associated with a host or hosts, changes.  This is typically due to re-installation.  None the less, when you attempt to ssh to a host for whom you previously had an entry for in your ~/.ssh/known_hosts file, you will see a message similar to the following

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:811

RSA host key for has changed and you have requested strict checking.


Now, if I were accessing something over the internet via ssh and not on my corporate network, I would definitely need to be suspicious of this message.  You don't want to take chances with your security so always be sure.  But, if you are on your own corporate network and get this, check with your System Administrators, but the machine might have been re-installed.

So, looking at the above output, you will see a lot of information.  Most of it doesn't matter.  What does mater for the sake of removing the key in question is the line that reads:

  Offending key in /home/user/.ssh/known_hosts:811

That line tells you exactly what line in the known_hosts file contains the entry you want to remove.  So, whether you are on Mac, Linux or Unix, this should work just the same. What you want to do is grab that number after the colon above, and run the following command:

  sed -i "811 d" /home/user/.ssh/known_hosts

The -i tells sed to run in interactive mode.  Inside the double quotes you have the line number (grabbed from the output) and then a d (which stands for delete the entry, which it will at the line number you provide).  The only other thing on there is the full path to the known_hosts file.  If your not sure of where it is, it was on the line above the offending key line, in the above output.

Now, you could easily put this into a quick bash script that takes 1 field of input (the line number) and then calls the command as shown.  Either way, I hoped this helps with this common problem.


**Update: Thanks to a comment below from Attila-Mihaly Balazs, for letting me know that you can also use:

  ssh-keygen -f "/home/user/.ssh/known_hosts -R offending-hosts-name

That will remove the entry for the offending host who's key has gone stale, with the added benefit of a back up of the known_hosts file, saved with a .old extension, just before the entries removal.  

If you find you do not need the backup, you can simply delete it.

2 comments:

Attila-Mihaly Balazs said...

Hmm, what GNU/Linux distro are you using? With ubuntu it suggests that you do:

ssh-keygen -f "~/.ssh/known_hosts" -R offending-host

You just copy-paste that command and it does the deed :-) (it even creates a backup).

jlk said...

Thanks for the note, Attila. I was actually unaware of using ssh-keygen in that manner. I will have to include that as an update.

 
Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.