Removing SSH known_hosts entries

calendar November 15, 2022 nav_categories Tech nav_categories Application nav_tags ssh nav_tags ssh-keygen

Anyone that uses a lab that includes virtual machines re-uses the same IP addresses quite a bit.

However, when attempting to ssh (or scp or sftp) after re-using the IP address, you run into these errors:

scp tom@testbox.nodinrogers.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:kL6pahFE8sea3inrCuOTBUtSf8lWWg5wzs90EW9C9U0.
Please contact your system administrator.
Add correct host key in /home/tom/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/tom/.ssh/known_hosts:19
Host key for testbox.nodinrogers.com has changed and you have requested strict checking.
Host key verification failed.
Connection closed.
Connection closed

Fixes

There are a few different ways of fixing this, all of which result in the conflicting entry in the known_hosts file being deleted.

  1. Using your editor of choice (mine is vi/vim), edit the file, and remove the conflicting entry (line 19 in this example).

  2. Use sed and edit the file directly:

sed -i '19d' /home/tom/.ssh/known_hosts

I'm not a fan of this method, as if you fat finger the line number, your known_hosts file is borked.

  1. Use ssh-keygen to remove the entries for the host/IP:
ssh-keygen -R testbox.nodinrogers.com

Or to specify using the IP:

ssh-keygen -R 192.168.1.100

While all 3 ways will work, I use option 3, as it's both quicker and less prone to fat fingering.

Fix if using an non-standard port

If you specify a port and/or use a non-standard port, you will need to modify what you enter for the ssh-keygen option.

For example, if you ran sftp -P 2020 tom@testbox.nodinrogers.com, which would specify port 2020 instead of the default 22 for sftp, then the entry in your known_hosts file would start with:

[testbox.nodinrogers.com]:2222

To use ssh-keygen to delete that entry, you would need to run:

ssh-keygen -R "[testbox.nodinrogers.com]:2222"

Example output of using ssh-keygen:

ssh-keygen -R testbox.nodinrogers.com
# Host testbox.nodinrogers.com found: line 19
/home/tom/.ssh/known_hosts updated.
Original contents retained as /home/tom/.ssh/known_hosts.old

Prevent the errors from occurring

If you have a list of IP addresses, or a subnet that you use (and reuse) for virtual lab devices, you can also disable strict host key checking in the ~/.ssh/config file.

For example, to disable strict host key checking for the IP of 192.168.1.22 and the subnet of 10.10.10.0/24, these 2 entries would be in the ~/.ssh/config file:

Host 10.10.10.*
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

Host 192.168.1.22
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

With the above entries in the ~/.ssh/config file, the host key will not be checked, or stored, which would prevent the errors from above from ever occurring.

However, this does leave you open to a man in the middle (MITM) attack.

For my lab subnets, it's a risk I'm willing to take.

References

die-net - ssh-keygen(1) - Linux man page https://linux.die.net/man/1/ssh-keygen