How to fix Host key verification failed error on linux servers

When you connect to a server for the first time, the server prompts you to confirm that you are connected to the correct system. 

The following example uses the ssh command to connect to a remote host named redhat007:

[root@redhat001:~]# ssh user02@redhat007

The authenticity of host 'redhat007 (192.168.1.24)' can’t be

established. ECDSA key fingerprint is ...

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'redhat007,192.168.1.24' (ECDSA) to the list of known hosts.

The command checks to make sure that you are connecting to the host that you think you are connecting to. 

When you enter yes, the client appends the server’s public host key to the user’s ~/.ssh/known_hosts file and creating the ~/.ssh directory if necessary.

Next time when you connect to the remote server, the client compares this key to the one the server supplies. If the keys match, you are not asked if you want to continue connecting.

If someone tries to trick you into logging in to their machine so that they can sniff your SSH session, you will receive a warning similar to the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

22:cf:23:31:7a:5d:93:13:1s:99:23:c2:5k:19:2a:1c.

Please contact your system administrator.

Add correct host key in /home/readhat001/.ssh/known_hosts to get rid of this message.

Offending key in /home/redhat001/.ssh/known_hosts:7

RSA host key for redhat007 has changed and you have requested strict checking.

Host key verification failed.

To resolve above error, we have two different method.

1. Remove old key manually:

Normally key is stored ~/.ssh/known_hosts file

If root wants to ssh to the server, just removing entry in the /root/.ssh/known_hosts file is all right.

If user01 wants to ssh to the server, then remove the entry in the file /home/user01/.ssh/known_hosts.

I will remove the the key  for the destination server redhat007 from the file /home/user02/.ssh/known_hosts.

# vi /home/user02/.ssh/known_hosts

redhat003 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLrY91bQOihgFZQ2Ay9KiBG0rg51/YxJAK7dvAIopRaWzFEEis3fQJiYZNLzLgQtlz6pIe2tj9m/Za33W6WirN8=

redhat005 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=

redhat007 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=

2. Removing old key using the ssh-keygen command

[root@redhat001:~]# ssh-keygen -R [hostname|IP address]

[root@redhat001:~]# ssh-keygen -R redhat007

Now once you remove the entry, please login again

[root@redhat001:~]# ssh user02@redhat007

[root@redhat001:~]# ssh user02@redhat007

The authenticity of host 'redhat007 (redhat007)' can't be established.

ECDSA key fingerprint is SHA256:V+iGp3gwSlnpbtYv4Niq6tcMMSZivSnYWQIaJnUvHb4.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'redhat007' (ECDSA) to the list of known hosts.

SSH or SFTP Authentication issue in linux

We normally getting a below error while accessing the destination server via SSH or SFTP protocols.

Error:

root@localhost> sftp  root@XYZ.com

warning: Authentication failed.

FATAL: ssh2 client failed to authenticate. (or you have too old ssh2 installed, check with ssh2 "-V")

To resolve this error first we need to understand what is an issue. In such type of above error, issue is mostly from destination server end which you want to connect from your system. 

In /etc/ssh/sshd_config file, a parameter "MaxAuth Tries" value is very less due to this when we are attempting to access the destination server using SSH or SFTP protocol then we will get such issue if your account will not authenticate in first two attempts. 

So to resolve such issue , you need to increase the value of "MaxAuth Tries" from default value.

edit the /etc/ssh/sshd_config file

search this parameter

increase the value "MaxAuth Tries" to "5" and take a restart of ssh service

systemctl restart sshd

login on source server again and try to access the server, if you are facing this issue again then increase the value again and set to 20.

SSH login without password in linux

If you want to connect one Linux host to other Linux host through SSH with password-less connection then you need to perform below steps.

Lets suppose you need password-less login from host "server01" / user "redhat" to host "server02" / user "centos".

1. First login in on "server01"as user "redhat" and generate a pair of authentication keys.

[redhat@server01]# ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/redhat/.ssh/id_rsa):
Created directory '/home/redhat/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/redhat/.ssh/id_rsa.
Your public key has been saved in /home/redhat/.ssh/id_rsa.pub.
The key fingerprint is:
1e:4f:05:79:3a:9f:96:7c:2b:ad:e9:58:37:sc:37:e4 redhat@server01

Note: Do not enter a passphrase.

2. Now you use ssh to create a directory ~/.ssh as user "centos" on server02.

Note: If directory already exist, you do not create it again.

[redhat@server01]# ssh centos@server02 mkdir -p .ssh

centos@server02's password:

Finally append redhat's new public key to centos@server02:.ssh/authorized_keys and enter centos's password one last time:

3. Now copy the rsa key to server 02 ssh authorized_keys file

[redhat@server01]# cat .ssh/id_rsa.pub | ssh centos@server02 'cat >> .ssh/authorized_keys'

centos@server02's password:

Now you can log into server02 as "centos" from server01 as "redhat"a without password.

4. Now you can test the password less connection.

[redhat@server01]# ssh centos@server02

You are successfully login on the server02 without any password.

Note:  In case of any permission issue you need to set "700" permission on .ssh folder on server02.

Important Linux TCP/IP Port Number

Please find the below complete list of TCP/IP port number in Linux system.

➤ 20- FTP ( File Transfer Protocol) -It is used for transfer the data using ftp connection

➤ 21- FTP Control - It is used this port for ftp connection.

➤ 22- SSH (Secure Shell)- It is used for connecting the secure shell which using SSL encryption.

➤ 23- TELNET - It is used for insecure remote connection.

➤ 25- SMTP (Simple Mail Transfer Protocol)- It is used as a mail transfer agent for email server.

➤ 53- DNS (Domain name system)- It is used for translate the domain name to IP address.

➤ 67- BOOTP (Bootstrap Protocol)- Used for automatically assign the IP address to network device.

➤ 68- DHCP (Dynamic host configuration protocol)- It is a network protocol to enable a server to automatically assign an IP address to system.

➤ 69- TFTP (Trivial file transfer protocol)- Used this protocol in PXE Boot services.

➤ 80- HTTP ( Hypertext Transfer protocol)- Used for WWW web connection.

➤ 88- Kerberos Protocol

➤ 110- POP3 (Post Office Protocol)- Used as a mail delivery agent.

➤ 113- XINETD (Extended Internet Daemon)

➤ 115- SFTP ( Secure File Transfer Protocol)

➤ 123- NTP (Network time protocol)- Used for time syncing uses UDP protocol

➤ 137- NetBIOS (Network basic Input/Output system)

➤ 139- NETBIOS-SESSION Service

➤ 143- IMAP (Internet Message Access Protocol)

➤ 161- SNMP (Simple Network Management Protocol)- Used for network monitoring.

➤ 389- LDAP (Lightweight Directory Access Protocol)

➤ 443- HTTPS ( Hypertext Transfer protocol secure)- Used with SSL encryption.

➤ 445- SMB (Server Message Block or SAMBA)

➤ 514- Syslogd (udp port)

➤ 840- NIS (Network Information Service)

➤ 873- rsync Used for file synchronization.

➤ 990- FTPS (File transfer protocol secure)

➤ 993- IMAPS ( For Secure Connection)

➤ 995- POP3s ( Mail delivery agent with secure connection)

➤ 2049- NFS ( Network file sharing)