How to fix ‘Host key verification failed’ SSH Error

This guide will help resolve SSH connection issues that produce the following error:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is x.
Please contact your system administrator.
Add correct host key in /ua/username/.ssh/known_hosts to get rid of this message.
Offending RSA key in /ua/username/.ssh/known_hosts:5
RSA host key for has changed and you have requested strict checking.
Host key verification failed.

What Is Happening

This error occurs when the target server you are trying to SSH into has been rebuilt or had it’s RSA key changed since the last time you connected to it. Whenever you connect to a server via SSH, that server’s public key is stored in your home directory (or possibly in your local account settings if using a Mac or Windows desktop) file called ‘known_hosts’. When you reconnect to the same server, the SSH connection will verify the current public key matches the one you have saved in your ‘known_hosts’ file. If the server’s key has changed since the last time you connected to it, you will receive the above error.

How to Fix It

While contacting your system administrators when any odd warning message occurs is a good idea, you are safely able to resolve this issue yourself:

  1. First locate your ‘known_hosts’ file, and open in a general text editor. The error will often give you the location of the known_hosts file you need to change, as in the example above:
    Offending RSA key in /ua/username/.ssh/known_hosts:5

    1. Linux users will find this file in their home directory, in the ‘~/.ssh/’ directory
    2. Windows users have several places this can be changed. Common places are ~\Users\~\AppData\Roaming\_ssh\ or the SSH client’s configuration settings
    3. Mac users will find this in either their local account’s ~/.ssh folder, or their network home directory as with Linux users
  2. Remove the line containing the host name of the server you failed to connect to. In the example above, :5 indicates the server is on line 5 of the known_hosts file
  3. Save the known_hosts file after removing the offending key line
  4. Attempt to establish the SSH connection again. Once connected, you will see a new entry is created for the server in your known_hosts file

If you would like assistance with this process, or are concerned the server’s public key change is not intentional, please contact BCG support.