When you start out tinkering with your Raspberry Pi, you might end up erasing your SD card and doing a fresh install. With Raspberry Pi OS, this is a quick and easy process.
However, after doing a fresh install and when accessing your Raspberry Pi through the Terminal from another computer, you may encounter a loud warning that your “REMOTE HOST IDENTIFICATION HAS CHANGED” and you are denied access. Fortunately, there is a simple solution.
When this happens, enter this command in the Terminal:
rm -f ~/.ssh/known_hostsIf you want to know more about this command, read on.
Changing identities
I often flash an SD card with a fresh install during times of heavy tinkering and experimenting with the Raspberry Pi.
Typically I will create a backup image of a current Raspberry Pi OS installation plus my personal network configuration and other settings to avoid re-entering the standard stuff.
To do this, I use ApplePi-Baker software developed by the ingenious Dutchman Hans Luitjen for macOS (he just released a brand new version which also works in macOS Catalina).
Balena Etcher is a cross-platform solution for flashing images but last time I checked it did not allow backing them up.
But often when I then boot up the same Raspberry Pi with a fresh Raspberry Pi OS install and ssh to it in Terminal, the connection is refused, and I get this error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:u//mtNhfldqUQFrhjsGovhby8bNPEowKpmHlCqVn618.
Please contact your system administrator.
Add correct host key in /Users/wm/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/wm/.ssh/known_hosts:1
ECDSA host key for 192.163.162.33 has changed and you have requested strict checking.
Host key verification failed.The reason is an OS security feature with the intent to avoid Man-in-the-Middle attacks.
Technically speaking, the SSH client will have saved the public SSH key of the remote system together with the IP address in the file
/.ssh/knownhostsof the current user on the client computer.
So all you have to do is updating that data entry.
The scattergun approach
There are (at least) two ways to get rid of this error message.
The easiest is to delete the file altogether and let it be recreated automatically the next time you connect via SSH.
All you need to do is to enter this command in my Terminal:
rm -f ~/.ssh/known_hostsThis wipes any memory of known hosts and allows a fresh connection to them.
The next time you connect via SSH in Terminal, you will see this message:
Wolfgangs-iMac:~ wm$ ssh pi@192.168.164.29
The authenticity of host '192.168.164.29 (192.168.164.29)' can't be established.
ECDSA key fingerprint is SHA256:u//mtNhfldqUQFrGohIvhvby8bNPEowKpmHlCqVn618.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '192.168.164.29' (ECDSA) to the list of known hosts.You can then confirm the connection and carry on.
The drawback is that you will get this message for any new SSH connection, even those that you already agreed to earlier.
But I don’t find it much of an inconvenience to say “yes”.
The sniper option
Instead of deleting the entire
known_hostsfile, you can surgically remove just the one offending data entry.
This is where the command
ssh-keygen -R IP-addressis useful. It just removes the key for the specified IP-address and leaves all others untouched.
So e.g.
ssh-keygen -R 192.167.178.34Next time you ssh into your Raspberry Pi, confirm with “yes” and the new key will be generated.
Conclusion
When I first stumbled upon this error message, it took me a while to figure out what was wrong and how to fix it. So I hope I may be able to save you valuable tinkering time!
Was this article helpful?
Thank you for your support and motivation.
Related Articles
- How to customize your Raspberry Pi splash screen (Raspbian Stretch April 2019 Version)
- How to find the IP address of a new device in your network with Angry IP Scanner
- Stay Connected: Enhancing Raspberry Pi Wi-Fi Stability by Turning Off Power Management
- How to reduce the wear on your SD card in your Raspberry Pi digital photo frame
