17 Sep 2013

Remote Host Identification Has Changed ?

Tags: Problems & Solutions

QI have tried to log in via SSH, but suddenly it refused to work and instead displayed weird “Remote Host Identification Has Changed” error. Now what?

AirBig:~ root# ssh [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
53:60:82:c3:73:58:a4:09:57:79:7c:6a:b0:6f:5f:d1.
Please contact your system administrator.
Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/root/.ssh/known_hosts:240
RSA host key for my.host has changed and you have requested strict checking.
Host key verification failed.
AirBig:~ root#

AIf you are trying to access your hosted Aegir account via SSH or SFTP on or after September 16, 2013, you will be presented with this alarming warning. But there is nothing to worry about. For security reasons, and also to add SPDY and Forward Secrecy features on systems with older version of OpenSSL, we have upgraded both OpenSSL and OpenSSH to use latest, secure versions, but compiled from sources, so this process re-generated also the server-side keys to accomodate newer technology and protection for your account security. It is possible that when newer version of either OpenSSL or OpenSSH is released, we will do this again, so the server keys will be re-generated again. Depending on your needs, you can either edit the known_hosts file on your computer and simply remove the offending line (240 in the example above), or if you have just one or two entries in this file, simply delete it, so it will be re-generated on next SSH login attempt.

!Due to many important security fixes in recent OpenSSL and OpenSSH releases, and also to enable SPDY and Forward Secrecy features by default, starting on August 18, 2014 we install them both from sources also on all remotely managed BOA Aegir instances, so you should expect to see the same warning while connecting over SSH.

Create Account or request a free Test Drive
Already 900+ hosts powering thousands of Drupal sites are running on our high-performance Aegir BOA stack
© 2009-2023 Omega8.cc | ul. Zlota 59, 14th floor Skylight Building, 00-120 Warsaw, Poland | Twitter
Smokin’ Fast Drupal Hosting in Amsterdam · Chicago · Frankfurt · London
Madrid · New York · San Jose · Singapore · Sydney · Toronto · Warsaw