Resolving “Offending Key” SSH Warning: Host Key Mismatch When Connecting to VPS


3 views

When you see this SSH warning, your system is detecting a discrepancy between:

  • The stored host key for your VPS's IP address (in ~/.ssh/known_hosts:1)
  • The stored host key for your VPS's hostname (in ~/.ssh/known_hosts:2)
# 1. Server Reinstallation
# The VPS was reinstalled, generating new SSH host keys

# 2. IP Address Reassignment
# The IP was previously used by a different server

# 3. Configuration Change
# The SSH server was reconfigured to use new keys

Method 1: Update the known_hosts file

# Remove conflicting entries
ssh-keygen -R "your_vps_ip"
ssh-keygen -R "your_vps_hostname"

# Then reconnect
ssh root@myVPS

Method 2: Verify server fingerprints (most secure)

# First get the current fingerprint from your server:
ssh-keyscan -t rsa myVPS
ssh-keyscan -t rsa xxx.xx.xxx.xx

# Compare with what's in known_hosts:
ssh-keygen -l -f ~/.ssh/known_hosts

For DevOps scenarios where you expect host keys to change:

# Add to your ~/.ssh/config
Host myVPS
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
    LogLevel ERROR
  • Never bypass host key verification in production environments
  • For critical systems, implement SSH certificate authentication
  • Consider using SSHFP DNS records for additional verification
# Increase verbosity:
ssh -vvv root@myVPS

# Check all stored keys:
grep myVPS ~/.ssh/known_hosts
grep 'xxx.xx.xxx.xx' ~/.ssh/known_hosts

When you see the message:

Warning: the RSA host key for 'myVPS' differs from the key for the IP address 'xxx.xx.xxx.xx'
Offending key for IP in /home/manolo/.ssh/known_hosts:1
Matching host key in /home/manolo/.ssh/known_hosts:2

This indicates your system has detected a mismatch between the stored SSH host key for your VPS's IP address and the actual key presented by the server.

Common scenarios include:

  • The VPS was reinstalled with a new SSH host key
  • You're connecting to a different server at the same IP
  • The VPS provider changed the underlying hardware

The safest solution is to remove the conflicting entry from your known_hosts file:

ssh-keygen -R "xxx.xx.xxx.xx"  # Replace with your VPS IP
ssh-keygen -R "myVPS"         # Remove by hostname if needed

After removing the old key, connect again and verify the new fingerprint:

ssh-keyscan -t rsa myVPS >> ~/.ssh/known_hosts
ssh root@myVPS

For scripting purposes, you can use:

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@myVPS

Note: This bypasses security checks - only use for testing.

To prevent future warnings, update your SSH config:

cat >> ~/.ssh/config <

Always verify the server's fingerprint matches what you expect:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub  # On the server