When you connect to a server for the first time, the server prompts you to confirm that you are connected to the correct system.
The following example uses the ssh command to connect to a remote host named redhat007:
[root@redhat001:~]# ssh user02@redhat007
The authenticity of host 'redhat007 (192.168.1.24)' can’t be
established. ECDSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'redhat007,192.168.1.24' (ECDSA) to the list of known hosts.
The command checks to make sure that you are connecting to the host that you think you are connecting to.
When you enter yes, the client appends the server’s public host key to the user’s ~/.ssh/known_hosts file and creating the ~/.ssh directory if necessary.
Next time when you connect to the remote server, the client compares this key to the one the server supplies. If the keys match, you are not asked if you want to continue connecting.
If someone tries to trick you into logging in to their machine so that they can sniff your SSH session, you will receive a warning similar to the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
22:cf:23:31:7a:5d:93:13:1s:99:23:c2:5k:19:2a:1c.
Please contact your system administrator.
Add correct host key in /home/readhat001/.ssh/known_hosts to get rid of this message.
Offending key in /home/redhat001/.ssh/known_hosts:7
RSA host key for redhat007 has changed and you have requested strict checking.
Host key verification failed.
To resolve above error, we have two different method.
1. Remove old key manually:
Normally key is stored ~/.ssh/known_hosts file
If root wants to ssh to the server, just removing entry in the /root/.ssh/known_hosts file is all right.
If user01 wants to ssh to the server, then remove the entry in the file /home/user01/.ssh/known_hosts.
I will remove the the key for the destination server redhat007 from the file /home/user02/.ssh/known_hosts.
# vi /home/user02/.ssh/known_hosts
redhat003 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLrY91bQOihgFZQ2Ay9KiBG0rg51/YxJAK7dvAIopRaWzFEEis3fQJiYZNLzLgQtlz6pIe2tj9m/Za33W6WirN8=
redhat005 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=
redhat007 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=
2. Removing old key using the ssh-keygen command
[root@redhat001:~]# ssh-keygen -R [hostname|IP address]
[root@redhat001:~]# ssh-keygen -R redhat007
Now once you remove the entry, please login again
[root@redhat001:~]# ssh user02@redhat007
[root@redhat001:~]# ssh user02@redhat007
The authenticity of host 'redhat007 (redhat007)' can't be established.
ECDSA key fingerprint is SHA256:V+iGp3gwSlnpbtYv4Niq6tcMMSZivSnYWQIaJnUvHb4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'redhat007' (ECDSA) to the list of known hosts.