How to Fix the “Host Key Verification Failed” Error?

Sometimes, if you have noticed, you encounter the “Host Key Verification Failed” error while working with SSH (Secure Shell). This error usually occurs when the system finds a mismatch in the host key for a remote server you are trying to connect to. This article will explore the causes of this error and provide details on how to fix the “Host Key Verification Failed” error. So, let’s start with the definition.

What is the “Host Key Verification Failed” Error?

When you connect to a remote server via SSH for the first time, the server’s public key is stored in a file on your local machine, usually located at ~/.ssh/known_hosts. This key is used to verify the server’s identity in future connections. So, sometimes, the server key changes or doesn’t match the stored key – SSH will refuse the connection and display the “Host Key Verification Failed” error.

“Host Key Verification Failed” Error Possible Causes

• The server’s host key has changed due to the server reinstallation or a server replacement.
• DNS spoofing or man-in-the-middle attacks.
• Changes in the server’s IP address or domain name.
• Corruption or modification of the known_hosts file.

How to Fix the “Host Key Verification Failed” Error?

Remove the Old Host Key

If the server’s host key has changed, you must remove the old key from the known_hosts file. You can do this manually or using the ssh-keygen command.

Manually Editing known_hosts

Open the known_hosts file with a text editor:

sh
nano ~/.ssh/known_hosts

Find the line containing the host entry for the server causing the error.

Delete that line and save the file.

Using ssh-keygen

The ssh-keygen command can simplify this process:

Find the problematic host key using the following command:

sh
ssh-keygen -F [hostname]

Replace [hostname] with the server’s actual hostname or IP address.

Remove the problematic host key:

sh
ssh-keygen -R [hostname]

This command will remove all entries for the specified hostname.

Accept the New Host Key

After removing the old host key, attempt to reconnect to the server:

sh
ssh [username]@[hostname]

Replace [username] with your username and [hostname] with the server’s hostname or IP address. You will see a prompt asking if you want to accept the new host key:

plaintext
The authenticity of host '[hostname] ([IP address])' can't be established.
ECDSA key fingerprint is SHA256:[fingerprint].
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type yes and press Enter. The new host key will be added to your known_hosts file, and the connection will proceed.

Check for DNS Spoofing or Man-in-the-Middle Attacks

If you suspect the host key change might be due to DNS spoofing or a man-in-the-middle attack, verify the server’s authenticity through another secure channel. Contact the server administrator and confirm the new host key fingerprint before accepting it.

Verify the Server’s Host Key

You can directly fetch and verify the server’s host key using the following command:

sh
ssh-keyscan [hostname]

This command will print the server’s host key. Compare this key with the one provided by the server administrator to ensure it is legitimate. If it matches, you can add it to the known_hosts file manually:

Run the ssh-keyscan command:

sh
ssh-keyscan [hostname] >> ~/.ssh/known_hosts

This command appends the server’s host key to your known_hosts file.

Automating Host Key Management

You can automate host key management using SSH options or configuration files for environments where host keys change frequently.

Using SSH Options

You can also temporarily bypass host key verification using the ‘-o StrictHostKeyChecking=no’ option. However, this is not recommended for regular use due to security risks.

sh

ssh -o StrictHostKeyChecking=no [username]@[hostname]

Configuring SSH

You can use SSH configuration files to manage host keys more effectively. Create or edit the SSH configuration file at ~/.ssh/config and add the following entries:

plaintext
Host [hostname]
    User [username]
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

Replace [hostname] and [username] with your server’s hostname and username. This configuration disables strict host key checking and prevents known_hosts file updates for the specified host.

Reinstalling or Regenerating SSH Keys

In rare cases, the “Host Key Verification Failed” error might persist due to corrupted SSH keys or configuration files. Reinstalling or regenerating SSH keys can resolve this issue.

Regenerate SSH Keys on the Client Side

Backup your existing SSH keys:

sh
mv ~/.ssh/id_rsa ~/.ssh/id_rsa_backup
mv ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub_backup

Generate a new SSH key pair

sh
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Copy the new public key to the server

sh
ssh-copy-id [username]@[hostname]

Regenerate SSH Keys on the Server Side

Connect to the server through an alternative method (e.g., console access).

Backup existing SSH keys

sh
sudo mv /etc/ssh/ssh_host_* /etc/ssh/backup/

Regenerate SSH keys

sh
sudo dpkg-reconfigure openssh-server

Restart the SSH service

sh
sudo systemctl restart ssh

Conclusion

The “Host Key Verification Failed” error is a common issue when using SSH and can be resolved with a few steps. When you know the causes of this error and follow the given solutions, you can ensure secure and uninterrupted SSH connections to your remote servers. Manually edit the known_hosts file, verify the server’s host key, or automate host key management – try things, and something or the other will work.

Need help with such errors?

Connect with Leasepacket. Leasepacket provides A to Z server-related services & solutions.

FAQs