What to do when you get the warning message “REMOTE HOST IDENTIFICATION HAS CHANGED” from your Raspberry Pi

When you start out tinkering with your Raspberry Pi, you might end up erasing your SD card and doing a fresh install. With Raspberry Pi OS, this is a quick and easy process.

However, after doing a fresh install and when accessing your Raspberry Pi through the Terminal from another computer, you may encounter a loud warning that your “REMOTE HOST IDENTIFICATION HAS CHANGED” and you are denied access. Fortunately, there is a simple solution.

When this happens, enter this command in the Terminal:

rm -f ~/.ssh/known_hosts

If you want to know more about this command, read on.

Changing identities

I often flash an SD card with a fresh install during times of heavy tinkering and experimenting with the Raspberry Pi.

Typically I will create a backup image of a current Raspberry Pi OS installation plus my personal network configuration and other settings to avoid re-entering the standard stuff.

To do this, I use ApplePi-Baker software developed by the ingenious Dutchman Hans Luitjen for macOS (he just released a brand new version which also works in macOS Catalina).

Balena Etcher is a cross-platform solution for flashing images but last time I checked it did not allow backing them up.

But often when I then boot up the same Raspberry Pi with a fresh Raspberry Pi OS install and ssh to it in Terminal, the connection is refused, and I get this error message:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /Users/wm/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/wm/.ssh/known_hosts:1
ECDSA host key for has changed and you have requested strict checking.
Host key verification failed.

The reason is an OS security feature with the intent to avoid Man-in-the-Middle attacks.

Technically speaking, the SSH client will have saved the public SSH key of the remote system together with the IP address in the file


of the current user on the client computer.

So all you have to do is updating that data entry.

The scattergun approach

There are (at least) two ways to get rid of this error message.

The easiest is to delete the file altogether and let it be recreated automatically the next time you connect via SSH.

All you need to do is to enter this command in my Terminal:

rm -f ~/.ssh/known_hosts

This wipes any memory of known hosts and allows a fresh connection to them.

The next time you connect via SSH in Terminal, you will see this message:

Wolfgangs-iMac:~ wm$ ssh pi@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:u//mtNhfldqUQFrGohIvhvby8bNPEowKpmHlCqVn618.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '' (ECDSA) to the list of known hosts.

You can then confirm the connection and carry on.

The drawback is that you will get this message for any new SSH connection, even those that you already agreed to earlier.

But I don’t find it much of an inconvenience to say “yes”.

The sniper option

Instead of deleting the entire


file, you can surgically remove just the one offending data entry.

This is where the command

ssh-keygen -R IP-address

is useful. It just removes the key for the specified IP-address and leaves all others untouched.

So e.g.

ssh-keygen -R

Next time you ssh into your Raspberry Pi, confirm with “yes” and the new key will be generated.


When I first stumbled upon this error message, it took me a while to figure out what was wrong and how to fix it. So I hope I may be able to save you valuable tinkering time!

Was this article helpful?

Thank you for your support and motivation.

Scroll to Top