#shellwaffle

free software, self hosting, streaming and more

Understanding SSH Host Keys and the “Remote Host Identification” Warning

If you’ve used SSH to access servers, you’ve probably seen a message like this:

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

It’s scary, and intentionally so. This warning appears when the fingerprint of a server you’re connecting to doesn’t match what your SSH client expects. While it can indicate a potential security issue, it often just means the server’s SSH keys have changed.

In this post, we’ll walk through what SSH host keys are, why these warnings appear, and how you can verify fingerprints safely.

What Is an SSH Host Key?

An SSH host key is a unique cryptographic identity that a server uses to prove it’s the system you intended to connect to. When you connect to a server for the first time, SSH shows you the server’s key fingerprint and asks you to confirm:

The authenticity of host 'your.server.com' can't be established.
ED25519 key fingerprint is SHA256:AbC123def456...
Are you sure you want to continue connecting (yes/no)?

That fingerprint is your only way to be sure you’re talking to the right server, so don’t guess. Ask your system administrator for the correct fingerprint before accepting the connection.

Once accepted, the fingerprint is saved to your ~/.ssh/known_hosts file. On future connections, SSH uses it to verify the server hasn’t changed.

Why the Host Key Warning Appears

On later connections, SSH compares the server’s current fingerprint to the one saved in your known hosts. If they don’t match (maybe due to a legitimate reconfiguration, or something more suspicious), SSH will block the connection and show the warning.

To resolve it, you need to verify the new fingerprint manually.

Checking the Server’s SSH Host Keys

If you have access to the server (or you’re the admin), run:

for file in /etc/ssh/ssh_host_*key.pub; do ssh-keygen -lf "$file"; done

This will list the server’s public keys and their fingerprints (RSA, ECDSA, ED25519, etc.). Modern systems usually use ED25519 by default.

Tip for admins: Be sure to include the server’s SSH fingerprint(s) in your internal docs or onboarding guides so users can verify them before connecting.

Checking Known Hosts on Your Local Machine

To see the SSH host keys your machine has stored:

ssh-keygen -lf ~/.ssh/known_hosts

To check if a specific host is in the file:

ssh-keygen -F your.hostname.com

This will work even if your known_hosts file is hashed (which is often the default).

Comparing Fingerprints for a Specific Host

To get the fingerprint of a specific host in the familiar SHA256 format:

ssh-keygen -f ~/.ssh/known_hosts -lf <(ssh-keygen -F your.hostname.com | tail -n1)

This is useful for verifying a fingerprint you’ve received from your administrator.

Optional: Hashing Your Known Hosts File

For extra privacy (e.g., on a shared machine), you can hash your known_hosts entries:

ssh-keygen -H -f ~/.ssh/known_hosts

SSH will still recognize the hosts, but the file becomes unreadable to others.

Conclusion

SSH host keys are a key part of secure remote access. Knowing how to inspect and verify them helps avoid both false alarms and real threats.

If you’re a user, don’t ignore SSH’s fingerprint prompts: ask your admin for the right fingerprint before trusting a connection. If you’re an admin, document and share your server’s host key fingerprints to make that trust process easier and safer.

It only takes a few extra steps, and it keeps everyone more secure.

Posted

in

by

Le fractal

Tags:

,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *