Inspect SSH Server Key Fingerprints

ssh server1.exemple.com


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:PtxWQz5ZpYmfBRNWaWS3woHfji5VmWOjriz/1oYerMI.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:70
ED25519 host key for server1.exemple.com. has changed and you have requested strict checking.
Host key verification failed.

When you're seeing warning message like above while connecting to the server via ssh, it could mean at least two things:

  1. Somebody is trying to intercept your encrypted communication and gain control over your server. <a id="case1"></a>
  2. You've changed server configuration, upgraded or re-installed OS (99.99% of cases).

To ensure that it is not case #1 you need to check if the actual key fingerprint on your server is equal to the one you're seeing in the WARNING message.

Usually, when I make changes to configuration files, I do not log out until checking all important services are up and running.

If you're still logged in, check server key fingerprint with:

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub

256 SHA256:PtxWQz5ZpYmfBRNWaWS3woHfji5VmWOjriz/1oYerMI root@server1.exemple.com (ED25519)

The fingerprint is the same as in the WARNING message in this case.

The fingerprint from warning message:

The fingerprint for the ED25519 key sent by the remote host is
SHA256:PtxWQz5ZpYmfBRNWaWS3woHfji5VmWOjriz/1oYerMI

The fingerprint of the key on the server:

SHA256:PtxWQz5ZpYmfBRNWaWS3woHfji5VmWOjriz/1oYerMI

So it's safe to delete old fingerprint:

sed -i 70d ~/.ssh/known_hosts

(70 here is a line number in known_hosts file)