Updating SSH Key Fingerprints
The first time you connect to a remote computer using SSH, the local computer prompts for permission to add the remote computer’s fingerprint to the user’s ~/.ssh/known_hosts file. A message like this appears: The authenticity of host “server1.pretendco.com” can’t be established.
RSA key fingerprint is f8:0e:37:53:74:f1:dd:cd:5a:a4:1d:b3:57:a9:a6.
Are you sure you want to continue connecting (yes/no)?
The first time you connect, you have no way of knowing if this is the correct host key. Most people simply respond “yes.” The host key is then inserted into the ~/.ssh/known_hosts file for comparison in later sessions. Make sure that this is the correct key before accepting it. If at all possible, distribute the host key either through Secure FTP (SFTP), encrypted email, downloading, or personally, so that users can be sure of the identity of the server. When you try to connect later, a warning message may appear about a man-in-the-middle attack (a third computer that sits in between the client and server and captures all SSH traffic), possibly because the key on the remote computer no longer matches the key stored on the local computer. Mismatched keys can occur in these circumstances:
– The SSH configuration on either the local or remote computer is changed.
– The server has been reinstalled.
– The remote machine has changed its IP address since the last time you connected.
The IP address can change on networks using Bonjour names and DHCP. To connect again, first figure out why the key on the remote computer has changed. Then delete the entries corresponding to the remote computer that you are accessing (which can be stored by both name and IP address) from the ~/.ssh/known_hosts file. Be aware, however, that removing an entry from the known_hosts file bypasses a security mechanism that would help you thwart imposters and man-in-the-middle attacks.