The latest articles on DEV Community by Tobias Grasse (@tobias_grasse). https://dev.to/tobias_grasse https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F11081%2F14bc1147-d53e-4c70-be35-ac9cc3d96525.jpeg https://dev.to/tobias_grasse en Tobias Grasse Fri, 08 Jan 2021 11:38:11 +0000 https://dev.to/tobias_grasse/quickly-remove-an-entry-from-knownhosts-1mfd https://dev.to/tobias_grasse/quickly-remove-an-entry-from-knownhosts-1mfd <p>Do you SSH to servers a lot? Then this will sooner or later pop up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is &lt;host key&gt;. Please contact your system administrator. Add correct host key in /path/to/.ssh/known_hosts to get rid of this message. Offending key in /path/to/.ssh/known_hosts:&lt;line&gt; RSA host key for [ip-or-host]:&lt;port&gt; has changed and you have requested strict checking. Host key verification failed. </code></pre> </div> <p>This is one of the user-friendlier error messages I've encountered: What went wrong, possible causes, what to do, pointer to the <code>known_hosts</code> file/line that caused this.</p> <p>When you connect to an existing, well-known server that wasn't modified, you should check with your friendly admin or hosting provider – in case someone has actually meddled with your server.</p> <p>However, my work on IoT devices involves a lot of SSH'ing to local devices, and frequent teardown/re-flash means they get assigned the same IP address/host name as a previous device – but with a different host key. So each time, OpenSSH will issue its dutiful warning above. I don't want to disable strict checking completely or on a per-host basis. Removing the offending line by hand each time gets tedious, but luckily OpenSSL's <code>ssh-keygen</code> can take care of this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-R</span> &lt;ip-or-hostname&gt; <span class="nt">-f</span> <span class="s2">"/path/to/.ssh/known_hosts"</span> </code></pre> </div> <p>Still to much to type on a regular basis. My shell of choice is <a href="https://fishshell.com">fish</a>, so I wrapped this in a function <code>rmkh</code> (“remove known host”):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">function </span>rmkh <span class="nt">-d</span> <span class="s2">"removes a given host from ~/.ssh/known_hosts"</span> ssh-keygen <span class="nt">-R</span> <span class="s2">"</span><span class="nv">$argv</span><span class="s2">"</span> <span class="nt">-f</span> <span class="s2">"/path/to/.ssh/known_hosts"</span> end </code></pre> </div> <p>So the next time I get a host verification message, I can just run <code>rmkh &lt;offending-host-or-ip&gt;</code> and get on with it. Also works with multiple hosts.</p> <p>Note: At least inside a fish function, this needs to have the full path to your <code>known_hosts</code> file <em>as a string</em>, so don't use a tilde and quote everything to be safe.</p> ssh shell fish