The RSA key on the Openbridge Server was changed and your SSH client is warning you that the discrepancy might be the fault of an attacker.

This guide will help resolve SSH connection issues that produce the following error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is x. Please contact your system administrator.
Add correct host key in /home/ec2-user/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/ec2-user.ssh/known_hosts:222 RSA host key for openbridge.com has changed and you have requested strict checking. Host key verification failed.

Why does this error occur?

This error occurs when the target server you are trying to SSH into has been rebuilt or had it's RSA key changed since the last time you connected to it. Whenever you connect to a server via SSH, that server's public key is stored in your home directory (or possibly in your local account settings if using a Mac or Windows desktop) file called known_hosts

When you reconnect to the same server, the SSH connection will verify the current public key matches the one you have saved in your known_hosts  file. If the server's key has changed since the last time you connected to it, you will receive the above error (or one similar to it).

How to fix the error

While contacting your system administrators when any odd warning message occurs is a good idea, you are safely able to resolve this issue yourself:

First, locate your known_hosts  file, and open in a general text editor. The error will often give you the location of the known_hosts  file you need to change. In the example above the offending RSA key is located here:  /home/ec2-user.ssh/known_hosts:222 

Linux and Mac Users

Linux users will find this file in their home directory, in the ~/.ssh/ directory. You use sed  to remove the offending line. Run something like sed -i '222d' ~/.ssh/known_hosts which will remove the offending line as reported in our example

Mac users will find this in either their local account's ~/.ssh  folder, or their network home directory as with Linux users. You can also run  sed -i '222d' ~/.ssh/known_hosts 

You can also use the IP address with sed  like this sed -i '/1.2.3.4/d' /home/ec2-user/.ssh/known_hosts 

Another option is to user ssh-keygen with the -R  option. This removes all keys belonging to hostname from a known_hosts  file. This option is useful to delete hashed hosts. If your remote hostname is server.openbridge.com  

$ ssh-keygen -R {server.openbridge.com}
$ ssh-keygen -R {ssh.server.ip.address}
ssh-keygen -R {ssh.server.ip.address} -f {/path/to/known_hosts}
$ ssh-keygen -R server.openbridge.com

Lastly, you can edit your  known_hosts with a text editor and remove the offending line. For example, using vi 

Type vi ~/.ssh/known_hosts . Go to line 222  and then dd  to delete and then wq  to save.

Windows Users

Windows users have several places this can be changed. Common places are ~\Users\~\AppData\Roaming\_ssh\  or the SSH client's configuration settings. This also might be in a location like C:\Users\username\.ssh  or  C:\cygwin64\home\bob\.ssh\known_hosts . The specific location will be a function of your Windows environment. 

Similar to the Mac and Linux examples, you want to remove the offending SSH key reference:

  • Remove the line containing the host name of the server you failed to connect to. In the example above, :222  indicates the server is on line 222  of the known_hosts  file
  • Save the known_hosts  file after removing the offending key line
  • Attempt to establish the SSH connection again. Once connected, you will see a new entry is created for the server in your known_hosts  file

The next time you attempt to log in, SSH should tell you that the host key is unknown and ask if you want to connect and save the new key.

Did this answer your question?