Remove key from known_hosts

ssh hosts openssh man-in-the-middle

656,435

Solution 1

sed -i '6d' ~/.ssh/known_hosts

Will modify the file ~/.ssh/known_hosts:6 , removing the 6th line.

In my opinion, using ssh-keygen -R is a better solution for an openssh power user, while your regular Linux admin would do better to keep his/her sed skills fresh by using the above method.

Solution 2

The simplest solution is:

rm -f .ssh/known_hosts

ssh will recreate the file again, but you lose key checking for other hosts!

Or, you can use:

ssh-keygen -R "hostname"

Or the ssh "man-in-the-middle" message should indicate which line of the known_hosts file has the offending fingerprint. Edit the file, jump to that line and delete it.

Solution 3

There is an ssh-keygen switch (-R) for this.

man ssh-keygen reads:

-R hostname

Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts (see the -H option above).

Solution 4

You need to run the following command to get rid of this problem. Open the terminal and type the following command:

For all examples below just replace the value after -R:

ssh-keygen -R server-name
ssh-keygen -R server.ip.addre.ss
ssh-keygen -R 202.54.1.5
ssh-keygen -R server1.example.com

Solution 5

All answers are good, but for real SSH pro we have missing information how to remove ssh signature with (non-standard) port number.

Simple SSH host signature remove command:
```
  ssh-keygen -R example.com
```
Complex ssh key remove, e.g. you connect to ssh on non standard port 222:
```
  ssh example.com -p 222
```

and you get warning, and to remove this, you need to use square brackets colon port number:

    ssh-keygen -R [example.com]:222

Note, that probably there will be IP record for the same host, so you will need to remove that one also.

Hope this helps for non-standard configuration users.

View more solutions

656,435

Adam Matan

Team leader, developer, and public speaker. I build end-to-end apps using modern cloud infrastructure, especially serverless tools. My current position is R&D Manager at Corvid by Wix.com, a serverless platform for rapid web app generation. My CV and contact details are available on my Github README.

Updated on September 17, 2022

Comments

Adam Matan over 1 year

I built several virtual machines during the last few weeks. The problem is, the .ssh/known_hosts gives me the Man in the middle warning. This happens because another fingerprint is associated with the virtual machine IP.

In the .ssh/known_hosts file, however, I don't find the record related to the IP, only two bizarre, key-like strings and "ssh-rsa".

Does anyone have any ideas about how to remove the old key from known_hosts?
- Deebster almost 10 years
  
  The "bizarre, key-like strings" you refer to are the hashed hosts/ip addresses. This a security feature which helps stops an intruder from knowing which systems you have access to. If you see this then your ssh_config has HashKnownHosts yes set.
- Daniel B almost 6 years
  
  If you feel the file contents are too confusing, you probably have line-wrapping activated. Deactivate it. All lines start with a host name or an IP address.
Adam Matan over 14 years

Correct - the line number is somewhat shy : "Add correct host key in /home/adam/.ssh/known_hosts to get rid of this message. Offending key in /home/udi/.ssh/known_hosts:48". Removed line 48 and it worked!
user1686 over 14 years

ssh-keygen -R hostname will work too.
Andy Lester almost 14 years

What's the benefit of this over doing it in any given text editor? Is there some reason not to do it that way, like how sudoers has to be edited with visudo?
Andre Holzner about 13 years

Thanks for mentioning ssh-keygen -R. I just wanted to remove a host from known_hosts for testing purposes (i.e. without that the host key changed) and this hosts entry was hashed...
flickerfly almost 11 years

What distros come with this? Ubuntu doesn't seem to have it.
grosser almost 11 years

The benefit is that it's automated and quick / it's a separate binary you add yourself
chicken about 10 years

This is the easiest and safest method.
shgnInc about 10 years

If we remove that file, other keys will remove too.
kraxor almost 10 years

Removing the file is a bad advice, it's like telling someone to buy a new PC because the old one has a broken mouse. Manually editing a file that can be edited by an official application is also a bad idea. The ssh-keygen option was added because of a comment, but with no explanation. I don't think this answer deserves so many upvotes.
kraxor almost 10 years

What a horrible idea. Permanently disable a layer of security just because you're too lazy keeping your ~/.ssh/known_hosts up-to-date? Why not just go ahead and use telnet? "whenever you are sure" - if you are ever sure, then you have no idea what a MITM attack is and you should probably spend some time reading some good literature.
kraxor almost 10 years

You could have just posted your script here instead of linking your own blog entry that you created on the day you posted this answer. This qualifies as spam IMHO. Not to mention that you could create a simple alias to achieve the same result, no need for a 7 lines long ruby script.
Olivier Dulac about 9 years

-1 because of the whole "delete the whole known_hosts file" first lines. This is a terrible, terrible, terrible thing to propose, and should be edited out.
Rick Chatham over 8 years

Based on the OP's question I think this is a valid answer. Sometimes you have a test system that you're creating/destroying a lot of VMs on. (I'm doing this right now as I prep for the RHCE exam.) There might not be any security implications. While noting the security implications is great, I don't think this has to be labeled a "horrible idea".
Rick Chatham over 8 years

I don't see how editing the file directly in VIM is "unsafe". It's based on your comfort level with VIM. Especially with this file, the biggest risk you have is deleting too many keys, in which case you'll just get prompted again.
Ryan Griggs over 8 years

The "safety" I was referring to involves 1) forgetting/not knowing to remove dependent info in other files (if any) and 2) Accidentally deleting more or less than needs to be, thus breaking the file.
Blake Frederick almost 8 years

This solution is overkill. Just remove the offending line. That's it.
Burgi almost 8 years

This method has already been suggested in the previous answers. Could you expanded upon what is different in your answer?
michael over 7 years

"if you have an official application for that" => both ssh-keygen -R and sed -i {line}d are pretty "official", and both will work for the foreseeable future. Util ssh-keygen allows removal by line number, both are perfectly acceptable (because, line numbers are often easier to deal with, and less error prone, than dealing with modern data center host-names).
michael over 7 years

related: superuser.com/a/1126243/73961
hello_there_andy about 7 years

Are newest known_hosts added on the top line or bottom?
Jiri Klouda over 6 years

Note: This will change the permissions of the known_hosts file to 0600. If you have a shared known_hosts file for any reason, this could disable the sharing of it.
Yitz over 6 years

@Burgi - this answer gives more detail about the syntax of ssh-keygen -R than any of the other answers so far. It show by example exactly what you can write after -R. So this answer is worthwhile, even though it is not a totally new answer.
Burgi over 6 years

@Yitz My comment was made as part of review. At the time (18 months ago) I thought the question needed a little help to make it even better.
barlop about 6 years

A)The deletion of specifically the 6th line, is all very "look no hands". No explanation at all as to what is significant about the 6th line of the file?! B)Also man ssh-keygen mentions ssh-keygen -R hostname you've just said ssh-keygen -R with no hostname specified, and you haven't explained what you mean by that.
Pysis over 5 years

and the correct one. Also, I had to do [localhost]:port, using the brackets because I used a custom port I guess =/. Like others have said, I would also use the no SSH key-checking approach for my transient/test system development.
rubynorails over 4 years

or just add this to your ~/.bashrc: sshdel() { sed -i "${@}d" ~/.ssh/known_hosts; } and call it with sshdel [line number]. no ruby, no binary, no worries.
Nux over 4 years

This removes all ocurences so the best way. You can add new key with: ssh-keyscan -H my.ssh.server.example.com >> ~/.ssh/known_hosts;
redbandit almost 4 years

adding an example would add great value to this post
jtessier72 about 2 years

This answer could be improved by placing the good advice at the top, and then presenting the other option as an "if all else fails" option.
Admin almost 2 years

When we aren't using default SSH port, then the hostname for -R should be provided with the following format '[<host-name OR IP>]:<SSH Port>'. For example: ssh-keygen -f ~/.ssh/known_hosts -R '[192.168.23.2]:1234'