var img = document.createElement('img'); img.src = "https://easystat.de/piwik.php?idsite=13&rec=1&url=https://docs.servinga.cloud" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

What's a hostkey error and how to resolve it?

Why does the SSH client trigger this warning?

When you connect to a server using SSH for the first time, your SSH client stores the server's hostkey (essentially a unique fingerprint of it) in a file on your computer called known_hosts.

If the server is then reinstalled, its hostkey is being regenerated from scratch and thus changes and now differs from the hostkey your computer stored when it connected to the server's IP address or hostname for the first time. When you then attempt to connect again, the SSH client detects that the fingerprint no longer matches the one it previously saved.

This feature is designed to prevent man-in-the-middle (MITM) attacks where an attacker tries to move between you and the server you're connecting to.

Upon connecting to your reinstalled server, you will see a warning like this on your SSH client:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

How to fix the error

In order to fix the error, you need to manually remove the old hostkey for your server's IP address or hostname from your known_hosts file. The exact location of that file differs from operating system to operating system, but on Linux-based systems or on macOS it's located in ~/.ssh/known_hosts. On Windows it might be in a different location or even being managed in a GUI, depending on which SSH client you're using.

Remove the hostkey from the file

The manual way to remove an old hostkey from your known_hosts file is by simply finding the IP or hostname you're trying to connect to in said file and remove the entire line. After saving the file, the error should be gone and upon connecting your SSH client should ask you whether you want to accept the new hostkey of the server you're connecting to.

Use ssh-keygen

An alternative to removing the offending hostkey from your known_hosts file manually, is using a tool called ssh-keygen. It's shipped by default with the OpenSSH client.

To remove (hence the -R flag) the hostkey of a certain IP address or hostname, you simply run the following command.

ssh-keygen -R x.x.x.x

Replace x.x.x.x with either your server's IP address or with its hostname, depending on what you're trying to connect with.

After running the command, you should be able to connect again. Your client will now display the server's new hostkey and ask you whether you want to store it in your known_hosts file. Confirm that message and you should be connected again. If now the hostkey changes for whatever reason again, you'll be presented with the same error message as shown above.