The “Host Key Verification” SSH Connection error occurs when a remote host changes its authentication key, but their client PC holds the same old Key in the “known_hosts” file. To fix this error, the user should make changes in the host_key file or should delete it completely. Another potential way to fix this issue is to disable that strict host key checking option during SSH connection.
This error might become frustrating sometimes. So in this article we will deeply understand this host key verification error and ways to fix this problem.
What is a Host Key in SSH?
A Host key is the unique identifier, used to verify the remote host’s identity. When you connect to the remote host, the key matches with the list of known Host keys. If that matches, the connection will be permitted to proceed. If the remote host doesn’t get verified, the connection will automatically be denied. Moreover, the Host key is also used to generate cryptographic signatures for each of the connections. This signature is then used to verify the data integrity that is being transferred between the server and the client.
How does SSH Work?
When someone connects to the remote server by SSH connection for the first time, their client generates a cryptographic host key for that hostname or server’s IP. This acts as the digital fingerprint, to identify the server that you are connecting to. If you try to reconnect in the future, SSH automatically verifies if the key presented by the server matches with what was stored in the known_hosts file. This is one of the security features. Without the verification of the host key, no one can get the access.
What Causes The Host Key Verification Failure Error?
The host key verification error occurs when SSH detects any mismatch between the host key sent by the server and the host key stored locally. Here are some of the reasons why this error occurs:
1. The server has been upgraded or reinstalled, which causes a generation of a new host key.
2. The server has rotated the host key, which can be considered as good security practice to prevent the host key from getting leaked.
3. The network configuration of the server might have been updated, like the hostname or the IP address.
4. The known_hosts file on the client has been corrupted or altered which might have modified or deleted the host key entry for the server.
Troubleshooting Steps
Below are some troubleshooting steps:
1. Check and verify the fingerprints: Check and verify if the server host key fingerprint matches with the one in the known_hosts file. If it matches, then you can be sure that the host key has changed for some reason and can direct to the solutions. If it does not match, then you should be more cautious and find out further before connecting to the server.
2. Check for DNS changes or IP address on the server: Check for DNS changes or IP address on the server and verify if the hostname or the IP address of the server you are trying to connect matches. You can check the DNS records or the IP address of the server by using tools like ping, nslookup, or dig. If they have been changed, then you should update the SSH command or configuration to utilize the new one.
3. Check if the server is behind the firewall: Check if the server is behind a firewall, a NAT device, or a proxy, that might affect the SSH connection. To check the network connectivity of the server, you can use tools like telnet, nmap, or traceroute. If the server is behind any firewall, a NAT device, or a proxy, then adjust your SSH command or configuration to utilize the correct IP address.
4. Check if the SSH server host key files have been changed: Log in to the server using alternative methods, like a web interface or console, and check the SSH server host key files and configuration.
Methods to fix problem of Host key verification failed
To resolve this error, you are required to make changes in the “known_hosts” file. Moreover, you can actually delete the known_hosts file from your system. Let’s now explore some of the ways to fix this issue:
Method 1: Delete The Old Key From the known_hosts File
The first and most easy method is to update or change the SSH host authentication key. Then you are required to delete the old key from the known_hosts file. You can use the ssh_keygen for this. To do this, use the following syntax in a new terminal:
ssh-keygen -R HOSTNAME
Make sure to replace the “HOSTNAME” with the actual hostname or IP Address of the remote host. The next thing to do is to retry the connection with the remote host by utilizing the updated key, and then the connection will be successful.
Method 2: Manually Remove the Key by Using the sed Command
Whenever you face this error, the error prompt will contain that line number on which the details or key details are placed for that host.
Let’s take the line number “11” within the known_hosts file. Now, delete line 11 from the known_hosts file by using the below command:
sed -i '10' ~.ssh/known_hosts
Moreover, you can also use the Vim editor as an alternative. Just use the following command:
vim +10 known_hosts
Here, “+10” defines the line number. Once inside the Vim editor:
1. Press the “d” key twice.
2. Press the Colon “:” and type “x” and then the “Enter key” to save the changes.
3. Retry the connection with the updated key, and you are done.
Method 3: Delete the known_hosts File
Sometimes, the known_hosts file gets corrupted and then causes the SSH connection to fail. In these types of cases, changing a corrupted known_hosts file would not help. Hence , it requires deleting the whole known_hosts file.
In Linux, to delete it, you can use the following command:
sudo rm .ssh/known_hosts
Once you have entirely deleted the known_hosts file, connect it to the remote host again and provide them with the right and updated key.
For Windows, follow these below steps:
1. Press the “Win+R” key to open up the run prompt.
2. Type ‘regedit.exe’ and press the enter key for opening the registry editor.
3. Head over to:
“HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys”
4. Delete All Keys
Method 4: Disable the SSH stricthostkeychecking Option
The “stricthostkeychecking” is one of the security features that sometimes causes a barrier while trying to connect to the remote host. But you don’t need to disable the security feature for all the connections. To disable this option, use the following flag only for the particular host during SSH Connection:
ssh -o StrictHostKeyChecking=no hostname
Ensure replacing the “hostname” with the actual hostname of the remote server you are trying to connect to.
Conclusion
In conclusion, this article covered how to fix this “host key verification failed” error in SSH. With these four simple methods discussed, you can fully control the SSH host keys. Keep in mind that as your configs and systems evolve, keys will necessarily drift, but with these solutions, reconciliation would be easy.