You may encounter a scary-looking warning from time to time if you use SSH to log into other systems. The warning itself is real: you should double check to make sure that you're not connecting to an imposter/man-in-the middle server. However, often times within Physics we'll upgrade computers etc, which will cause the key for the computer to change, thus giving remote users the error. This article explains the steps to remove the warning for the known-"good" computer and establish a remote connection again.

Remote Host ID Has Changed?

You may encounter this error when trying to SSH into certain machines on the Physics network, especially since we have been upgrading machines but keeping the same hostname thus changing the key associated with that host. The error looks something like this:

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    01:12:23:ab:bc:1a:1b:4c:5d:6e:7f:81:82:83:84:85.
    Please contact your system administrator.
    Add correct host key in /Users/yourUsername/.ssh/known_hosts to get rid of this message.
    Offending RSA key in /Users/yourUsername/.ssh/known_hosts:12
    RSA host key for 192.168.123.234 has changed and you have requested strict checking.
    Host key verification failed.
  

Most likely, you are not victim to a man-in-the-middle attack. However,

if you encounter this error when connecting to a machine that you know

and trust, and has not been upgraded by Physics IT, then you should

proceed with caution and/or contact us for help.

To fix the error you need to remove the stored key on your computer for the computer you're trying to connect to. Here are two ways to do this:

Method A: Use ssh-keygen -R

• Run the following command (but replace 192.168.123.234 with the IP address or hostname (example.physics.ucdavis.edu) of the machine you're trying to connect to.):
  ssh-keygen -R "192.168.123.234"

Method B: Manually edit your known_hosts file

• You can use a text editor to remove the offending line in your ~/.ssh/known_hosts file. Look for the line in the error that says "Offending RSA key in /Users/yourUsername/.ssh/known_hosts:12". In this example, it's line 12 (note the ":12" at the end). So, open your known hosts file and delete line 12 and save.
• You can do this using vim by running the following command from a terminal and then pressing the given keyboard shortcuts:
  1. vim ~/.ssh/known_hosts +12 (the "+12" at the end of the command tells vim to open the file and go to line 12)
  2. dd (Pressing lowercase d twice deletes the current line)
  3. ZZ (Pressing uppercase Z twice saves and quits vim)

After applying the fix, next time you try to SSH into that computer, you'll have to answer "yes" to confirm the connection. After that, it will be saved in known_hosts with the new key and you're good to go.

The only tricky thing might be if you're doing multiple-hop SSH tunneling w/ SSH pub key auth, you'll have to manually connect once just so you can answer "yes". This can cause issues if your tunelling/connection is part of a script that isn't expecting to have to answer "yes." So if you have a script that automatically SSHs through the Physauth tunnel to another Physics machine and performs some action on that remote machine, you'll probably want to go step by step and make sure the connection works at each step without asking for "yes or no". You'll only need to do that once.

If you have any questions, contact Physics IT.