SSH Known hosts file

What to do when someone is confused by ssh host key warnings, and needs to update or modify the known hosts file

SSH connections from a client to a server use something called a hostkey to verify that the machine on the other side is who they say they are. When host keys are updated or changed, an ssh client can sometimes become unhappy and give warnings that the hostkey is not what was expected (especially if the client is connecting to a machine they have in their history, or have connected to before). The warning might look something like this:

Offending ECDSA key in /filespace/b/bwilt/.ssh/known_hosts:5

If this happens, generally the best thing to do is to remove the lines from the ssh known_hosts file to stop the warnings. NOTE: The file name is only "known_hosts", the colon and number indicate the line in the file where the bad hostkey is located. Removing this hostkey from the file will mean that the client "forgets" about the hostkey, and will be prompted to accept the new hostkey when they connect again the next time.

Two ways of removing the reference from the known_hosts file:

  •  $ sed -e 'Xd' ~/.ssh/known_hosts
with being the line number from the warning (e.g., "5" in the example above)
  •  $ ssh-keygen -f ~/.ssh/known_hosts -R <hostname>
with hostname being the remote machine (e.g., "best-tux.cae.wisc.edu")

Both options might need to be repeated once or twice, since hostkeys in the known_hosts file are entered for both the domain name ("tux-101.cae.wisc.edu") and the corresponding IP address ("144.92.241.204").