How to Resolve “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED” in SSH After Server Migration


30 views

When you see the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" message, SSH is performing its important security function. Your client compares the stored host key in ~/.ssh/known_hosts with what the server presents. The mismatch triggers this warning to protect you from potential man-in-the-middle attacks.

Hosting providers often regenerate SSH host keys during major upgrades or server migrations. This is exactly what happened in your case. While inconvenient, this is actually good security practice - servers should periodically rotate their host keys.

First, verify with your hosting provider that the change was intentional. Once confirmed, you have several options:

# Method 1: Remove the old entry (line 7 in your case)
ssh-keygen -R mydomain.com

# Method 2: Remove by IP address
ssh-keygen -R X.X.X.X

# Method 3: Manual edit (backup first!)
nano ~/.ssh/known_hosts

After removing the old key, your next SSH connection will prompt you to verify and store the new key:

ssh user@mydomain.com
The authenticity of host 'mydomain.com (X.X.X.X)' can't be established.
RSA key fingerprint is XXxXXXXXXX.
Are you sure you want to continue connecting (yes/no)?

For scripts or CI pipelines, you can use:

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@mydomain.com

Note: Only use this in trusted environments as it disables key verification.

  • Regularly audit your known_hosts file
  • Consider using HashKnownHosts yes in ssh_config for additional security
  • For critical systems, pre-distribute host keys through secure channels

If issues persist after updating the key:

# Verify DNS resolution
dig mydomain.com

# Check for multiple entries
ssh-keygen -F mydomain.com

# Test connection verbosely
ssh -vvv user@mydomain.com

When you encounter the "REMOTE HOST IDENTIFICATION HAS CHANGED" warning, SSH is protecting you from potential man-in-the-middle attacks. This occurs when:

  • The server's host key doesn't match what's in your ~/.ssh/known_hosts
  • The IP address resolves to a different host than before
  • The server administrator legitimately changed keys (common after migrations)

If you're certain the host change is legitimate (like after a provider migration):

ssh-keygen -R yourdomain.com
ssh-keygen -R server_ip_address

This removes old entries. Then reconnect:

ssh user@yourdomain.com

You'll be prompted to verify and accept the new key fingerprint.

For critical systems, verify the new key fingerprint through multiple channels:

# First get the new fingerprint from your provider:
ssh-keyscan -t rsa yourdomain.com | ssh-keygen -lf -

# Compare with what your server shows:
ssh -o VisualHostKey=yes user@yourdomain.com

To configure strict host key checking while maintaining security:

# ~/.ssh/config
Host yourdomain.com
    HostName yourdomain.com
    User yourusername
    StrictHostKeyChecking accept-new
    UserKnownHostsFile ~/.ssh/known_hosts_yourdomain

For teams managing multiple servers, create a key rotation script:

#!/bin/bash
SERVER="yourdomain.com"
IP="x.x.x.x"
KEYFILE="$HOME/.ssh/known_hosts"

# Remove old entries
ssh-keygen -R "$SERVER" -f "$KEYFILE"
ssh-keygen -R "$IP" -f "$KEYFILE"

# Add new entry
ssh-keyscan -H "$SERVER" >> "$KEYFILE"
ssh-keyscan -H "$IP" >> "$KEYFILE"
  • Always verify new fingerprints through out-of-band channels
  • Consider using SSH certificates instead of host keys for large deployments
  • For high-security environments, implement SSHFP DNS records