Stefan Langenmaier
1 year
Andreas Vöst
1 month
Claus-Theodor Riegg
4 years
Andreas Vöst
3 months
Andreas Vöst
3 months
Kim Klotz
4 months
Claus-Theodor Riegg
8 years
Andreas Vöst
6 months
Andreas Vöst
8 months
Claus-Theodor Riegg
8 years
Marc Dierig
10 months

SSH: Fix host key verification error after makandra servers were upgraded to a new Ubuntu version

Updated . Posted . Visible to the public.

After a distribution upgrade of Ubuntu you might experience a Host key verification error if you try to connect to the server via ssh or sftp.

Be aware that a Host key verification error is always suspicious. Proceed only if you're sure that you're not falling for a Man-in-the-middle attack.

If you're not sure ask the Operations-Team at makandra to verify the current host key.

To completely remove the old host key on the client run:

# remove host entry
ssh-keygen -f "$HOME/.ssh/known_hosts" -R appserver.makandra.de
# remove IP entry
ssh-keygen -f "$HOME/.ssh/known_hosts" -R $(getent hosts appserver.makandra.de | cut -d ' ' -f 1)

# Connect and accept new fingerprint
ssh appserver.makandra.de
The authenticity of host 'appserver.makandra.de (213.179.144.92)' can't be established.
ED25519 key fingerprint is SHA256:a3W73tq+k/GPNFoSwzTEO8U5F8vMh5z5Eu+2lZY15FI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

The reason for this is that OpenSSH uses different host key types, depending on the installed version and configuration.
On first connection your SSH client stores the currently provided host key (and type) in your known_hosts file.
When the server stops providing that locally stored host key you get a mismatch and need to trust the alternative host key.

  • 20.04 – focal
    • OpenSSH 8.2
    • first-preference signature algorithm: ECDSA
  • 22.04 – jammy
    • OpenSSH 8.9
    • first-preference signature algorithm: ED25519
  • 24.04 – noble
    • OpenSSH 9.6
    • first-preference signature algorithm: ED25519
Andreas Vöst
Last edit
Stefan Xenopol
Keywords
fingerprint
License
Source code in this card is licensed under the MIT License.