How to Remove Strict RSA Key Checking in SSH and What’s the Problem Here?

SSH is a secure protocol that allows you to remotely access and manage servers. However, sometimes you may encounter a warning message like this when you try to connect to a server via SSH:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ It IS POSSIBLE THAT SOMEONE IS DOING @ SOMETHING NASTY! Someone could be eavesdropping on you right now (@ man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is SHA256: {hash} Please contact your system administrator. Add correct host key in C:\Users\myusername\.ssh/known_hosts to get rid of this message. Offending ECDSA key in C:\Users\myusername\.ssh/known_hosts:3 ECDSA host key for 192.168.1.5 has changed and you have requested strict checking. Host key verification failed. It keeps me for a very few seconds logged in and then it closes the connection.

This warning message means that SSH has detected a change in the host key of the server you are trying to connect to, which could indicate a possible security breach or a misconfiguration of the server.

In this article, we will explain what causes this warning message and how you can remove it by editing your known_hosts file.

What Causes the “Strict RSA Key Checking” Warning Message in SSH?

The strict RSA key checking feature is enabled by default in SSH, which means that it will only accept connections from servers whose host keys match exactly with those stored in your known_hosts file.

The known_hosts file is a local file that contains the fingerprints of all the servers that you have previously connected to via SSH. This file helps SSH verify that you are connecting to the right server and not a malicious impostor.

However, sometimes there may be reasons why SSH needs to update or change its host keys, such as:

  • The server has been upgraded or reinstalled with a different version of SSH.
  • The server has been compromised by an attacker who has replaced its original host key with their own.
  • The server has been configured with an invalid or self-signed certificate authority (CA) that generates new host keys periodically.

In these cases, SSH will warn you that its host key verification has failed and ask you to add the correct host key in your known_hosts file.

How Can You Remove Strict RSA Key Checking in SSH?

To remove strict RSA key checking in SSH, you need to edit your known_hosts file and delete or comment out any entry that matches with the current host key of the server you are trying to connect to.

There are different ways to edit your known_hosts file depending on your operating system and preferences. Here are some common methods:

  • Using a text editor: You can use any text editor such as Notepad or Vim to open and edit your known_hosts file manually. You can find this file usually located at C:\Users\myusername\.ssh\known_hosts on Windows or ~/.ssh/known_hosts on Linux or Mac OS X.
  • Using sed command: You can use sed command on Linux or Mac OS X terminal to delete or comment out specific lines from your known_hosts file using regular expressions. For example, if you want to delete line 377 from your known_hosts file (which contains the offending ECDSA key), you can use this command:

sed -i 377d ~/.ssh/known_hosts

This command deletes line 377 as shown after the colon in the warning message:

C:\Users\myusername\.ssh/known_hosts:377

Alternatively, if you want to comment out line 377 using # symbol, you can use this command:

sed -i ‘s/#.*//’ ~/.ssh/known_hosts

This command replaces everything before # symbol with nothing (which effectively comments it out).

  • Using ssh-keygen command: You can use ssh-keygen command on Linux or Mac OS X terminal to remove specific keys from your known_hosts file using their fingerprints. For example, if you want to remove all keys from 192.168.1.5 (which contains
  • Sure, let’s continue:
  • the offending ECDSA key), you can use this command:
  • ssh-keygen -R 192.168.1.5
  • This command removes all keys associated with 192.168.1.5 from your known_hosts file.
  • After editing your known_hosts file, you should be able to connect to the server without any warning messages. However, if you still encounter the same warning message, you may need to check the server’s configuration or contact your system administrator for further assistance.
  • What’s the Problem Here?
  • The problem here is that SSH is designed to be secure and protect you from potential security threats. When it detects a change in the host key of the server you are trying to connect to, it will warn you and refuse to connect until you confirm that the change is legitimate and safe.
  • While this feature can be annoying and cause some inconvenience, it is actually a good thing because it helps prevent man-in-the-middle attacks where an attacker intercepts your connection and pretends to be the server you are trying to connect to.
  • Therefore, before you remove strict RSA key checking in SSH, you should always make sure that the change in the host key is legitimate and not a sign of a security breach. If you are not sure, you should contact your system administrator or the server’s owner for confirmation.
  • In conclusion, the “Strict RSA Key Checking” warning message in SSH is a security feature that helps protect you from potential security threats. While it can be removed by editing your known_hosts file, you should always make sure that the change in the host key is legitimate and safe before doing so. If you need any further assistance or have any questions, feel free to contact us. We are always here to help!
  • I hope this article helps you understand how to remove strict RSA key checking in SSH and what’s the problem here. If you have any questions or need further assistance, please don’t hesitate to ask.
What are your feelings
Updated on December 16, 2023