User Tools

Site Tools


User problems with the changed ssh host key of

Background: was moved to a new machine, but the hostname was retained. In addition, the operating system was updated from Ubuntu 12.04.5 LTS to Ubuntu 16.04.1 LTS. This upgrade phased out the support for DSA keys for ssh authentication as well as Met Norway IT policy did.
This leads to two possible problems when users try to use from systems that had used to connect to it before:

  1. Users need to update the ssh host key
  2. Users that used a DSA public key before need to change to a RSA key (and provide the public key)

update the ssh host key

if a user has been connected to before he/she will see the following error message

jang@pcxyz:~/.ssh$ ssh
The RSA host key for has changed,
and the key for the corresponding IP address
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/jang/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/jang/.ssh/known_hosts:8
  remove with: ssh-keygen -f "/home/jang/.ssh/known_hosts" -R
RSA host key for has changed and you have requested strict checking.
Host key verification failed.

Reading through the error message, the user is pointed to the solution of the problem: running the following command:

ssh-keygen -f ~/.ssh/known_hosts -R

another possibility is to just remove the offending line from ~/.ssh/known_host. The line number is also told by the error message in the following line:

Offending RSA key in /home/jang/.ssh/known_hosts:8

Removal of (in this example) line 8 of ~/.ssh/known_host with your favourite text editor also solves the problem.

Running the first command outputs the following:

jang@pcxyz:~/.ssh$ ssh-keygen -f "~/.ssh/known_hosts" -R
/home/jang/.ssh/known_hosts updated.
Original contents retained as /home/jang/.ssh/known_hosts.old

connecting to then leads to:

jang@pcxyz:~/.ssh$ ssh
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is e7:9e:f0:91:70:3b:e3:b8:4e:f7:e8:07:c0:21:1c:de.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-34-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Fri Sep  2 08:46:36 UTC 2016

  System load:    0.1                 Processes:           197
  Usage of /home: 1.6% of 1023.50GB   Users logged in:     2
  Memory usage:   4%                  IP address for eth0:
  Swap usage:     0%

  Graph this data and manage this system at:

  Get cloud support with Ubuntu Advantage Cloud Guest:

1 package can be updated.
0 updates are security updates.

*** System restart required ***

                                 INFO has moved to a new machine and the aerocom database
has been reorganised

The database can now be found below the directory 
and is then further divided into the projects we work and have worked on

Please write an email to or
or in case you have further questions

Last login: Fri Sep  2 08:45:43 2016 from

Please note the the offcial hostname is

create a new rsa key

Step 1: Check for SSH keys

First, we need to check for existing ssh keys on your computer. Open up Terminal and run:

$ cd ~/.ssh
$ ls
# Lists the files in your .ssh directory

Check the directory listing to see if you have a file named If you don't, go to step 2. If you already have an existing keypair, skip to step 3. Please note that will not accept DSA keys. These are considered not secure anymore.

Step 2: Generate a new SSH key

To generate a new SSH key, enter the code below. We want the default settings so when asked to enter a file in which to save the key, just press enter.

 $ ssh-keygen -t rsa -C "my comment"
Generating public/private rsa key pair.

Enter the path to the file that will hold the key: By default, the file name $HOME/.ssh/id_rsa, which represents an RSA v2 key, appears in parentheses.

 Enter file in which to save the key (/home/user/.ssh/id_rsa): <return> 

Enter a passphrase for using your key: The passphrase you enter will be used for encrypting your private key. A good passphrase should be alphanumeric having 10-30 character length. You can also use a null passphrase however this can cause a security loophole.

Enter passphrase (empty for no passphrase): <Type the passphrase> 

Re-enter the passphrase to confirm it: Type your passphrase once again to confirm it.

Enter same passphrase again: <Type the passphrase>
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
0b:fa:3c:b8:73:71:bf:58:57:eb:2a:2b:8c:2f:4e:37 user@myLocalHost

Step 3: Send your public key to and/or

In the folder ~/.ssh you will find file(s) ending with .pub. Please send us the one you just created e.g. And no other file

Further information

This page was partly stolen from wikipedia and github.
If you want to know how key authentication works, please read this article about public key cryptography.

aerocom/user-server-ng.txt · Last modified: 2016-09-02 12:16:36 by jang