How to fix SSH "host key verification failed" error in Linux(2 Easy Methods)

SSH "Host Key Verification Failed" Error in Linux

In this example we have 2 different host to demonstrate the "host key verification failed" error in Linux.

192.168.0.100
192.168.0.106

Here we are trying to copy ssh public key from one host(192.168.0.100) to another host(192.168.0.106) using ssh-copy-id command as you can see below. Like in many ssh error whenever we face this kind of situation then the first thing we always try is to connect remote host through simple ssh command and check if this error still throws or not.

root@localhost:~# ssh-copy-id root@192.168.0.106
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
ERROR: Someone could be eavesdropping on you right now (man-in-the-middle attack)!
ERROR: It is also possible that a host key has just been changed.
ERROR: The fingerprint for the ED25519 key sent by the remote host is
ERROR: SHA256:mx1ctmvoleWzmA3kVqOr+H9uIMQFPsK9eTXlnJ5fnGA.
ERROR: Please contact your system administrator.
ERROR: Add correct host key in /root/.ssh/known_hosts to get rid of this message.
ERROR: Offending ECDSA key in /root/.ssh/known_hosts:5
ERROR: remove with:
ERROR: ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.0.106"
ERROR: ED25519 host key for 192.168.0.106 has changed and you have requested strict checking.
ERROR: Host key verification failed.

NOTE:

Please note that here I am using root user to run all the below commands.You can use any user with sudo access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo access to the User.

Now here we are trying to connect remote host(192.168.0.106) using ssh command but we see same error here as well.

root@localhost:~# ssh root@192.168.0.106
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:mx1ctmvoleWzmA3kVqOr+H9uIMQFPsK9eTXlnJ5fnGA.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:5
remove with:
ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.0.106"
ED25519 host key for 192.168.0.106 has changed and you have requested strict checking.
Host key verification failed.

Method 1: Remove the old Key manually

We need to first check the known_hosts file and identify the Line which needs to be removed. As shown in the above output Offending ECDSA Key is in Line 5.

root@localhost:~# vi /root/.ssh/known_hosts
|1|5CmiAXPuYGM70G8z3heGuwoSs7E=|jkGqOlPtgJ2mZbAzAq/AJNADN3I= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|xHNRVs6McL0Gp80pV7a+ljscOLE=|gTJY5lhzrj4QYaBD9JA3UflX/lM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|CBAvhjKLrxeAAzM2uT8J4szRSps=|HI5xiBZaeanE8crsBtzLKBmAqXs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|Db8TGhcXNuKRxXXwNCwjqSt1/uU=|mo9PyxWR3TIQlwud9frNGRcPWe8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|q5/RG/dsqu+dE74tZIlw8e1ChqE=|nB0ZXIXI4K1yurS7UDC3OPfpXPI= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNqUWv4MFC3F1saxTSdfKq7hsQrpYnndhtYKS3o9mye18Wlj9eQVioFJfjklV+k2/tyh44edzobcBbxSRIsxvb8=
|1|AyDcLMMCoc+AHSDzIyc8pPR0dHk=|6xF+Gxzl3GwwWDwA6BMUhCtayI0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGozD0jj2XM/ZDyI0Zo1M90Z3phgG2df2bWy166hAl5xvRGiI8gFP+G1ScJ8uRZr9AiFFGWBDWQIO/VBtmjR7Gg=
|1|3Yp+dAPXHBMy9vu5me5SsB1J3vM=|UExr+SJXdZmOSC8y4CBnOr5taqc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFavUGGTHtoc82HQuv0u6DEEZrabdcGc8l3qjgoacRx0gvVtr5PFKHtBpGwfsuxkDxjGw5ve4cLanT9iDzRLwK0=
|1|AytaU8PXh+Lbjz5WxyWIEB/rGiE=|dusFRGTKPdkY997X+n+BMW1uQSM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA4Lyy04vbYabkqH3V2226NKohEcKoIOjnPhWDLjBr/8Fag94xwUEAbOyWOrpFh7MfAXWW58iaq/k49CPYXP5ss=

So from the above file we need to delete Line 5 using sed -i '5d' ~/.ssh/known_hosts command as shown below.

root@localhost:~# sed -i '5d' ~/.ssh/known_hosts

Now if you again check /root/.ssh/know_hosts file then you can see Line number 5 is deleted now as can be seen from below output.

root@localhost:~# cat ~/.ssh/known_hosts
|1|5CmiAXPuYGM70G8z3heGuwoSs7E=|jkGqOlPtgJ2mZbAzAq/AJNADN3I= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|xHNRVs6McL0Gp80pV7a+ljscOLE=|gTJY5lhzrj4QYaBD9JA3UflX/lM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|CBAvhjKLrxeAAzM2uT8J4szRSps=|HI5xiBZaeanE8crsBtzLKBmAqXs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|Db8TGhcXNuKRxXXwNCwjqSt1/uU=|mo9PyxWR3TIQlwud9frNGRcPWe8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAPzd/8/PhIgKU3FIPVEUwIyoQHOt8eJoABt0RaufdVrrPnFHHSQ6jXBRV9hSkamZSGBHPsmE3f/dY7tnpHoZUM=
|1|AyDcLMMCoc+AHSDzIyc8pPR0dHk=|6xF+Gxzl3GwwWDwA6BMUhCtayI0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGozD0jj2XM/ZDyI0Zo1M90Z3phgG2df2bWy166hAl5xvRGiI8gFP+G1ScJ8uRZr9AiFFGWBDWQIO/VBtmjR7Gg=
|1|3Yp+dAPXHBMy9vu5me5SsB1J3vM=|UExr+SJXdZmOSC8y4CBnOr5taqc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFavUGGTHtoc82HQuv0u6DEEZrabdcGc8l3qjgoacRx0gvVtr5PFKHtBpGwfsuxkDxjGw5ve4cLanT9iDzRLwK0=
|1|AytaU8PXh+Lbjz5WxyWIEB/rGiE=|dusFRGTKPdkY997X+n+BMW1uQSM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA4Lyy04vbYabkqH3V2226NKohEcKoIOjnPhWDLjBr/8Fag94xwUEAbOyWOrpFh7MfAXWW58iaq/k49CPYXP5ss=

Method 2: Remove Known Hosts Using ssh-keygen command

Another method is to use ssh-keygen command to resolve this error. You can remove the entry of remote host from known_hosts file using below ssh-keygen command.

root@localhost:~# ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.0.106"
# Host 192.168.0.106 found: line 5
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old

You can use either of the above given method to remove the host key and then try connecting again. You can use the same ssh command to connect remote host and can see that you are not getting this "host key verification failed" error again.

root@localhost:~# ssh root@192.168.0.106
The authenticity of host '192.168.0.106 (192.168.0.106)' can't be established.
ED25519 key fingerprint is SHA256:mx1ctmvoleWzmA3kVqOr+H9uIMQFPsK9eTXlnJ5fnGA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.106' (ED25519) to the list of known hosts.
Password:
Last login: Sat May 23 23:54:31 2020 from 192.168.0.101
NOTE: system has 1 active alert; run 'fmadm list' for details.
Oracle Corporation SunOS 5.11 11.4 Aug 2018

There is one more way to avoid "host key verification failed" error by disabling the host key check. This can be done by setting StrictHostKeyChecking option as no while using ssh command to connect remote host. This can be seen from below example.

root@localhost:~# ssh -o 'StrictHostKeyChecking no' root@192.168.0.106

NOTE:

Please do not permanently set StrictHostKeyChecking to no without knowing your system completely as this might create major security breach and make your system vulnerable for Trojan attacks. By default you will see this option set to yes

Now that we are able to login into the remote host. So let's try to copy the public key again and check but before that we need to exit out from the remote host using exit command.

root@localhost:~# exit
logout
Connection to 192.168.0.106 closed.

As done above, we will again try to copy the ssh public key to remote host 192.168.0.106 using ssh-copy-id root@192.168.0.106 command and will see if it works this time.

root@localhost:~# ssh-copy-id root@192.168.0.106
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@192.168.0.106'"
and check to make sure that only the key(s) you wanted were added.

By seeing the above output, you can be sure that it is working fine now and no other error is visible.

Recommended Posts:-

10 Useful iproute2 tools examples to Manage Network Connections in Linux

26 Useful Firewall CMD Examples on RedHat/CentOS 7

9 useful w command in Linux with Examples

5 Easy Steps to recover LVM2 Partition , PV , VG , LVM metadata in Linux

How to compare Numbers or Integers in Bash