Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH RSA key issue " Host verification failed "

Anand-HPUX
Frequent Visitor

SSH RSA key issue " Host verification failed "

Hi, 

 

When tried to connect to server ( hpux 11.31) thru ssh from a network device, it gives following error message

 

Add correct host key in /home/scr/.ssh/known_hosts to get rid of this message.
Offending key in /home/scr/.ssh/known_hosts:4
RSA host key for 10.254.29.1 has changed and you have requested strict checking.
Host key verification failed.

 

I tried the following command  

 

ssh-keygen -F <hostname> -f known_hosts

 


it didn't pull up the host keys

 

I thought if it pulls up the host keys, i could remove the same using  the following command

 

ssh-keygen –R  rx26-155 -f known_hosts

 


so the next time when the network device tries to connect, it will prompt for RSA fingerprint and get connected.

 

Please share your valuable inputs..

 

Thanks & Regards,

 

Anand

1 REPLY
Matti_Kurkela
Honored Contributor

Re: SSH RSA key issue " Host verification failed "

> Offending key in /home/scr/.ssh/known_hosts:4

 

This indicates the conflicting key is on the 4th line of the /home/scr/.ssh/known_hosts file.

You could remove this line and fix the problem that way.

 

Alternatively...

 

> RSA host key for 10.254.29.1 has changed and you have requested strict checking.

 

The keys in the known_hosts files are indexed both by hostname and by IP address. This message indicates the problem is that the old key is still associated with this IP address.

 

If you run:

ssh-keygen -F 10.254.29.1 -f /home/scr/.ssh/known_hosts

 ... it should also find the problematic key for you.

Likewise, this command should be able to remove it for you:

 

ssh-keygen -R 10.254.29.1 -f /home/scr/.ssh/known_hosts

 

When OpenSSH did not yet have the hostname/IP hashing enabled by default in the known_hosts file, the problem would have been straightforward to notice and fix, as anyone viewing the contents of the known_hosts file would have easily noticed that each host has two entries: one by name and another by IP. But with modern versions, the hashing feature makes the entries pretty much opaque.

 

Apparently, the OpenSSH developers have not paid enough attention to updating the documentation to describe this behavior, no doubt because they're all already very familiar with OpenSSH from before, and think of this as "obvious". But if you don't already know how SSH handles the keys and have never seen an unhashed known_hosts file, I guess it's not obvious at all.

 

The ssh-keygen man page indicates that the -F and -R options take a hostname as a parameter, but a careful reading of the option description reveals hints that an IP address can also be used in place of the hostname.

It might be useful to submit a documentation bug report or even a man page patch to the OpenSSH project for this.

 

MK