The 100 best digital picture frames on amazon
The 100 best digital picture frames on amazon
The 100 best digital picture frames on amazon
The 100 best digital picture frames on amazon

What to do when you get the warn­ing mes­sage "REMOTE HOST IDENTIFICATION HAS CHANGED"

-

When you start out tin­ker­ing with your Rasp­berry Pi, you might end up eras­ing your SD card and doing a fresh install. With Rasp­bian, this is a quick and easy process.

How­ev­er, after doing a fresh install and when access­ing your Rasp­berry Pi through the Ter­mi­nal from anoth­er com­put­er, you may encounter a loud warn­ing that your "REMOTE HOST IDENTIFICATION HAS CHANGED" and you are denied access. For­tu­nate­ly, there is a sim­ple solu­tion.

When this hap­pens, enter this com­mand in the Ter­mi­nal:

rm -f ~/.ssh/known_hosts

If you want to know more about this com­mand, read on.

Chang­ing iden­ti­ties

I often flash an SD card with a fresh install dur­ing times of heavy tin­ker­ing and exper­i­ment­ing with the Rasp­berry Pi.

Typ­i­cal­ly I will cre­ate a back­up image of a cur­rent Rasp­bian instal­la­tion plus my per­son­al net­work con­fig­u­ra­tion and oth­er set­tings to avoid re-enter­ing the stan­dard stuff.

To do this, I use ApplePi-Bak­er soft­ware devel­oped by the inge­nious Dutch­man Hans Luit­jen for macOS (he just released a brand new ver­sion which also works in macOS Catali­na).

Bale­na Etch­er is a cross-plat­­form solu­tion for flash­ing images but last time I checked it did not allow back­ing them up.

But often when I then boot up the same Rasp­berry Pi with a fresh Rasp­bian install and ssh to it in Ter­mi­nal, the con­nec­tion is refused, and I get this error mes­sage:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:u//mtNhfldqUQFrhjsGovhby8bNPEowKpmHlCqVn618.
Please contact your system administrator.
Add correct host key in /Users/wm/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/wm/.ssh/known_hosts:1
ECDSA host key for 192.163.162.33 has changed and you have requested strict checking.
Host key verification failed.

The rea­son is an OS secu­ri­ty fea­ture with the intent to avoid Man-in-the-Mid­­dle attacks.

Tech­ni­cal­ly speak­ing, the SSH client will have saved the pub­lic SSH key of the remote sys­tem togeth­er with the IP address in the file /.ssh/knownhosts of the cur­rent user on the client com­put­er.

So all you have to do is updat­ing that data entry.

The scat­ter­gun approach

There are (at least) two ways to get rid of this error mes­sage.

The eas­i­est is to delete the file alto­geth­er and let it be recre­at­ed auto­mat­i­cal­ly the next time you con­nect via SSH.

All you need to do is to enter this com­mand in my Ter­mi­nal:

rm -f ~/.ssh/known_hosts

This wipes any mem­o­ry of known hosts and allows a fresh con­nec­tion to them.

The next time you con­nect via SSH in Ter­mi­nal, you will see this mes­sage:

Wolfgangs-iMac:~ wm$ ssh pi@192.168.164.29
The authenticity of host '192.168.164.29 (192.168.164.29)' can't be established.
ECDSA key fingerprint is SHA256:u//mtNhfldqUQFrGohIvhvby8bNPEowKpmHlCqVn618.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '192.168.164.29' (ECDSA) to the list of known hosts.

You can then con­firm the con­nec­tion and car­ry on.

The draw­back is that you will get this mes­sage for any new SSH con­nec­tion, even those that you already agreed to ear­li­er.

But I don't find it much of an incon­ve­nience to say "yes".

The sniper option

Instead of delet­ing the entire known_hosts file, you can sur­gi­cal­ly remove just the one offend­ing data entry.

This is where the com­mand

ssh-keygen -R IP-address

is use­ful. It just removes the key for the spec­i­fied IP-address and leaves all oth­ers untouched.

So e.g. ssh-keygen -R 192.167.178.34

Next time you ssh into your Rasp­berry Pi, con­firm with "yes" and the new key will be gen­er­at­ed.

Con­clu­sion

When I first stum­bled upon this error mes­sage, it took me a while to fig­ure out what was wrong and how to fix it. So I hope I may be able to save you valu­able tin­ker­ing time!