System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

SCP: Host key verification failed

 
rianui
Trusted Contributor

SCP: Host key verification failed

Hi Gurus,

 

I recently installed HP-UX 11iV3 on a new server. I am copying a file from the live server-11iV2, to this new server using scp but I keep getting the errror below.

 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
e8:68:e2:1c:3d:7c:60:e7:e0:69:60:93:3a:33:97:fd.
Please contact your system administrator.
Add correct host key in /.ssh/known_hosts to get rid of this message.
Offending key in /.ssh/known_hosts:3
RSA host key for <hostname> has changed and you have requested strict checking.
Host key verification failed.
lost connection
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

 

 

 

Even though I delete line 3 in the /.ssh/known_hosts file or even delete all contents in this file (only the two servers should copy files accross each other) it does not work and instead I get the following error:

 

Host key verification failed.
lost connection

 

Any way forward with this?

 

Kind Regards,

 

Rianui

7 REPLIES
Matti_Kurkela
Honored Contributor

Re: SCP: Host key verification failed

The first error message is SSH's way of saying "I've seen this server before, and it definitely used to have a different key" error message. It is designed to alert you in case a server has been replaced (perhaps maliciously).

 

The second message happens when SSH (or scp) would need to ask  "I've never seen this host key before, are you sure it's OK?" but cannot because the command is run in non-interactive mode (e.g. using the -B = batch mode option of scp or having the command's standard input/output redirected into a pipe or a file).

 

You can fix the second message by making an one-time connection to the target host in interactive mode: just type "ssh your.target.host" on the command line. You should see a prompt like this:

 

The authenticity of host 'your.target.host (11.22.33.44)' can't be established.
RSA key fingerprint is 84:fe:1d:4b:0f:fe:2f:6a:d9:9e:3b:81:cc:05:3d:f5.
Are you sure you want to continue connecting (yes/no)? 

 When you answer "yes" (you must type it in full), the new host key (and its associated hostname&IP address) will be recorded in the known_hosts file. After that, all future non-interactive connections should work, unless there is some other issue.

 

MK
BowlesCR
Advisor

Re: SCP: Host key verification failed

You can also pass -o StrictHostKeyChecking=no to cause ssh/scp to blindly trust whatever key they get whether it is changed or new... This circumvents a somewhat important safety check though, so its best not to use it on a regular basis.

Also, rather than editing known_hosts when a key changes, try `ssh-keygen -R <target_host>` to delete the host's entry automatically. Note that each hostname/alias and IP for a system is treated as a unique entry, so if you connect to a box with more than one name you will have multiple entries.
rianui
Trusted Contributor

Re: SCP: Host key verification failed

Hi Matti,

 

Thanks for your response.

I ran the command as you instructed (ssh <destination-server>) and logged in after the "yes" response (without quotes) but that error was replaced by this one:

 

Received disconnect from <destination-ip-address>: 2: Too many authentication failures for root
lost connection

 

I did everything else I had done before (deleting the entries in the known_hosts file, hoping the solution would come by in the process) but the error above remained.

 

Kind regards,

 

Rianui

rianui
Trusted Contributor

Re: SCP: Host key verification failed

Hi Bowles,

 

Thanks for your response.

I didn't fully understand your instructions (You can also pass -o StrictHostKeyChecking=no..) Where do I turn this off? What is the actual command or syntax?

 

Kind regards,

 

Rianui

Matti_Kurkela
Honored Contributor

Re: SCP: Host key verification failed

Received disconnect from <destination-ip-address>: 2: Too many authentication failures for root
lost connection

 

If you get this message, your client has accepted the host key and begun to authenticate with the remote host, so it indicates you've successfully fixed your host key issue.

 

But the remote host seems to have an account lock-out policy: after too many failed login attempts, the account becomes locked. Now this has happened to the root account of the remote host: the remote host is rejecting your login attempt. No amount of fiddling with your local SSH client or its files is going to allow you a way around this.

 

This is a result of a system-wide security policy, and usually it is effective over all login methods, so it is not in any way related to SSH or scp specifically.

 

You must now unlock the root account on the remote host before you can use it. This may be as easy as logging in with your regular user account (you do have one, right?) and using sudo or a similar access management tool to gain root access... or if there is no such tool installed on the remote host yet, you may have to login as root on the actual system console: it (and only it) has special exception that allows logging in as root even if the root account has become locked.

MK
rianui
Trusted Contributor

Re: SCP: Host key verification failed

Hi Matti,

 

I will try that. Kindly note that I can actually log into both systems using the root account. I can also ssh to any using the root account successfully.

 

Regards,

 

Rianui

BowlesCR
Advisor

Re: SCP: Host key verification failed

The parameter I mentioned goes on the command line for ssh/scp.

ssh -o StrictHostKeyChecking=no <remotehost>