Kim Klotz
1 year
Claus-Theodor Riegg
2 years
Moritz Kraus
3 years
Marius Schuller
6 years
Marius Schuller
9 years
Claus-Theodor Riegg
9 years
Claus-Theodor Riegg
9 years

SSH: Fix host key verification error after makandra servers were upgraded to a new Ubuntu version

Updated . Posted . Visible to the public.

Important

If your railscomplete-deployment uses the net-ssh-gem please ensure you use version 5.2.0 or newer to ensure you can deploy via Capistrano.
It's best to use the latest version, as there were multiple issues between 5.2.0 and 7.3.0.

After a distribution upgrade of Ubuntu you might experience a Host key verification error if you try to connect to the server via ssh or sftp.

Be aware that a Host key verification error is always suspicious. Proceed only if you're sure that you're not falling for a Machine-in-the-middle attack.

If you're not sure ask the Operations-Team at makandra to verify the current host key.

To completely remove the old host key on the client run:

# remove host entry
ssh-keygen -f "$HOME/.ssh/known_hosts" -R appserver.makandra.de
# remove IP entry
ssh-keygen -f "$HOME/.ssh/known_hosts" -R $(getent hosts appserver.makandra.de | cut -d ' ' -f 1)

# Connect and accept new fingerprint
ssh appserver.makandra.de
The authenticity of host 'appserver.makandra.de (213.179.144.92)' can't be established.
ED25519 key fingerprint is SHA256:a3W73tq+k/GPNFoSwzTEO8U5F8vMh5z5Eu+2lZY15FI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

The reason for this is that OpenSSH uses different host key types, depending on the installed version and configuration.
On first connection your SSH client stores the currently provided host key (and type) in your known_hosts file.
When the server stops providing that locally stored host key you get a mismatch and need to trust the alternative host key.

  • 20.04 – focal
    • OpenSSH 8.2
    • first-preference signature algorithm: ECDSA
  • 22.04 – jammy
    • OpenSSH 8.9
    • first-preference signature algorithm: ED25519
  • 24.04 – noble
    • OpenSSH 9.6
    • first-preference signature algorithm: ED25519

Troubleshooting note

If you see an error like this during deployment:
fingerprint SHA256:FINGERPRINT does not match for "deploy.target" (SSHKit::Runner::ExecuteError) (or Net::SSH::HostKeyMismatch)
this guide will help you resolve the issue. It usually occurs after an upgrade of the server’s operating system (e.g. to Ubuntu 22.04 or 24.04) which changes the server's SSH host keys.

Profile picture of Andreas Vöst
Andreas Vöst
Last edit
Michael Leimstädtner
Keywords
fingerprint, remote, host, identification, has, changed, netssh
License
Source code in this card is licensed under the MIT License.