Not able to "git pull" - Host key verification failed
Solution 1
In the log you see the following text:
(...) Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:1 remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R gitlab.site.org ECDSA host key for gitlab.site.org has changed and you have requested strict checking. Host key verification failed.
So it is a matter of performing the command that is suggested there:
ssh-keygen -f "/root/.ssh/known_hosts" -R gitlab.site.org
Solution 2
Windows:
- Go to
/Users/Abhilash/.ssh/known_hosts
and delete the contents in it and save.
Linux / Mac:
- Go to
~/.ssh/
- nano known_hosts
- remove content inside and save
ctrl+O
Note: You will be promted to save the key while pushing again.
Solution 3
All of the other answers introduce security risks.
This error appears because you have a record in your known_hosts
file which says that the server should have a particular ssh key. But when you try to connect, the server has sent a different ssh key which does not match the one in your known_hosts
file. Your particular error message says:
Offending ECDSA key in /root/.ssh/known_hosts:1
This means that the first line in the known_hosts
file is different to what the remote server is sending.
The secure way to fix the issue is as follows:
- Find out what the correct key fingerprint should be from a trustworthy source. e.g. Here you can find the correct fingerprints for GitHub and GitLab. (If your organisation self-hosts GitLab, you will need to talk to your administrator to get the ssh key fingerprints.)
-
CHECK that the existing fingerprint in your
known_hosts
file is correct.
You can runssh-keygen -lf ~/.ssh/known_hosts
(or/root/.ssh/known_hosts
in your case) to generate SHA256 fingerprints from yourknown_hosts
file. Your error message says that the problem is with the first key. Find the equivalent SHA256 fingerprint on GitHub or GitLab and check if it matches exactly.
e.g. Here is the output of the above command:
and here is the ECDSA SHA256 fingerprint from the GitLab website:256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
- If the existing fingerprint from
known_hosts
matches the official fingerprint from the GitHub or GitLab website, thenssh
has detected a Man in the Middle (MitM) attack. STOP. Do not connect to the server. Try connecting from a different internet connection. Talk to your administrator. - If the existing fingerprint in
known_hosts
does not match the official fingerprint, then either you were under a MitM attack previously, or the server hosting GitLab has changed its ssh keys. You can delete the fingerprint from yourknown_hosts
file. (Note: Only delete the specific fingerprint which is causing trouble.) Next time you connect to GitLab, you will be prompted to add the new fingerprint to theknown_hosts
file.
Double-check that the fingerprint matches what is shown on the GitHub or GitLab website, then typeThe authenticity of host 'gitlab.com (172.65.251.78)' can't be established. ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw. Are you sure you want to continue connecting (yes/no/[fingerprint])?
yes
orno
accordingly.
Solution 4
I have also faced the same issue after following these steps it worked for me.
For macOS:
Step 1: Go to Folder or use command+shift+g
Step 2: type "~/.ssh/"
Step 3: Open "known_hosts" file and Remove all the content
Step 4: Now Open terminal and pull from another branch, It will ask for password give your system password.
It will work surely.
Related videos on Youtube
Comments
-
Richard almost 3 years
I've got root access to our production server and I want to deploy the latest version in git to the server but I'm running into the error below when I "git pull" on the folder I want to update.
I've browsed around a bit, but can't find a clear answer on what to do..
The staging server runs on the same machine, but just in a different folder and when I
pull
on that folder it all goes fine.I'm not very experienced when it comes to Linux, so please help me out with a clear answer on how to fix :-)
Otherwise I have access to anything I need
p.s. This has worked in the past, so I'm assuming it's got something to do with the SSH key
Error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The ECDSA host key for www.site.org has changed, and the key for the corresponding IP address x.x.x.x is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is ************* Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:1 remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R gitlab.site.org ECDSA host key for gitlab.site.org has changed and you have requested strict checking. Host key verification failed.
-
Bhargav Nanekalva over 10 years+1 The best way to deal this problem. Another way would be to delete the entry for gitlab.site.org in
~/.ssh/known_hosts
. @Richard , also try to investigate why the key has changed because most of the times they are not supposed to change. -
Fábio Dias over 5 yearsand therefore weakening the security of the whole thing. The check is there for a reason.
-
anOkCoder over 4 yearsAll of the answers here are exposing users to security risks. Before updating
~/.ssh/known_hosts
you should make sure the key being added is legitimate. Github lists there's here: help.github.com/en/github/authenticating-to-github/… Gitlab's: docs.gitlab.com/ee/ssh -
fedorqui over 4 years@anOkCoder but in this case it is not about adding, but about removing a key
-
anOkCoder over 4 yearsPerhaps I've misunderstood the intent of this command then. My understanding is that if you remove a key for a host you will be prompted to add a new key for that host when a new ssh attempt is made. In this case when the user reruns
git pull
. -
tensor almost 4 yearsThanks for saving my time.
-
Akhan over 2 yearsThanks. It did miracle! :D