Removing old keys from the SSH known host file

When connecting to a device via SSH using Linux (Unbuntu), you may come across the following error message.

The fingerprint for the RSA key sent by the remote host is
fd:1f:3d:fb:2e:ad:f4:f4:35:2e:03:f4:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /xxxx/xxxx/.ssh/known_hosts to get rid of this message.
Offending key in /xxxx/xxxx/.ssh/known_hosts:15
RSA host key for 192.168.45.82 has changed and you have requested strict checking.
Host key verification failed.
lost connection

This happens when the device you are connecting to has changed it’s SSH keys, but the client you are connecting from has the original key saved. By default Linux does not update these changes (assuming a security exploit) and will just drop the connection .

Stored SSH keys are by default saved in the /home/[user]/.ssh/known_host file. So to connect to the device you need to update this file.

You can achieve this a number of ways, including using the information above and manually editing the file to remove the offending key. However it can be difficult to work out what entry in the file you need to remove.

However I came across this the other day after having use the manual method for ages. In the error message it give the line number of the key you need to change. In the case above it would be 15.

(Offending key in /xxxx/xxxx/.ssh/known_hosts:15)

You can use the following command to delete that line with out having to manually open and edit the file.

sed -i 15d ~/.ssh/known_hosts

or use

ssh-keygen -R 192.168.45.82

Both will delete the line from the known_host file that relate to the error message above. (might need a SUDO, or run as root)

Now the next time you connect to the host device, your system will behave as if it is the first time it has seen the host and ask if you want to add the key in.

It is also possible to disable key checking, however I would not suggest this as it is a security risk.

DevilWAH