82

If a host's operating system has been re-installed and had its public key regenerated sshing to it will of course fail because the new key doesn't match the old one.

Is there an easier way to tell ssh that you know that the host's key has changed and that you want it to be updated. I think it feels a bit error-prone to use a text editor or something like sed to remove the offending line.

Sam
  • 1,063

2 Answers2

107

Use ssh-keygen -R hostname to remove the hostname (or IP address) from your .ssh/known_hosts file. The next time you connect, the new host key will be added to your .ssh/known_hosts file.

Manuel Jordan
  • 1,728
  • 2
  • 16
  • 40
jsbillings
  • 24,406
36
TARGET_HOST=[hostname or IP]

# Remove the old key(s) from known_hosts
ssh-keygen -R $TARGET_HOST

# Add the new key(s) to known_hosts (and also hash the hostname/address)
ssh-keyscan -H $TARGET_HOST >> ~/.ssh/known_hosts

The next time you connect, you'll connect without being asked Are you sure you want to continue connecting (yes/no)? since the keys will already be in the known_hosts file.

Daniel F
  • 867
Earl Ruby
  • 559
  • 1
    see also the StrictHostKeyChecking in ~/.ssh/config – Jeff Schaller Apr 12 '16 at 18:17
  • 3
    I'd use a different variable name.... HOST is in some shells giving your your own hostname, so I'd prefer not to alter it (I know one can just then exit, or do this from a subshell, but still, why not thehost instead? or something. a ALLCAPS variable could collide with a reserved internal name. smallcase names should not.) – Olivier Dulac Nov 28 '17 at 12:33
  • These keys in known_hosts are prefixed by some stuff which begins with |1|. That stuff isn't appended to the file via this method, or am I wrong? what's the difference then, because what ssh-keyscan returns does not begin with |1| – Daniel F Sep 08 '18 at 21:49
  • 2
    (@DanielF+) if you use hashed format and accepted the key(s) in ssh there are separate entries for the host name and its address(es), so you should ssh-keygen -R each of them to avoid conflict – dave_thompson_085 Sep 09 '18 at 05:47
  • Worth noting that while this might avoid the "Are you sure?" prompt, this is in effect doing nothing more than blindly answering "yes". ssh-keyscan just grabs whatever certificate the host offers -- legitimate or not -- and by appending it to known_hosts you're trusting it. – Phil Frost Feb 05 '21 at 21:31
  • @PhilFrost, if you are able to recognize a correct hashkey from a server, then you can use ssh-keyscan without the redirect first. If you are not able to recognize a correct hashkey, you should find a secure method to get that hashkey before using any of the suggested methods, and then in that case you can still use ssh-keyscan without the redirect. In all other cases, you are one way or the other, blindly accepting the hashkey. – Mike Nov 28 '22 at 23:45
  • 1
    Worth noting that the question being asked specifically states "when you know that a host's key has changed." – Earl Ruby Nov 30 '22 at 01:22