Have you ever tried to access a website or connect to an SSH server only to be greeted by the error “The authenticity of host can’t be established”? This frustrating message means your computer doesn’t recognize the website or server and can’t verify its identity.
Not being able to establish authenticity could indicate a man-in-the-middle (MITM) attack designed to steal information. Or it might simply mean you haven’t connected to that server before. Either way, the connection cannot proceed until the authenticity issue is addressed.
The good news is in most cases this error is easily fixed. Here’s a step-by-step guide to solving the “authenticity of host can’t be established” problem for both websites and SSH connections.
Understanding Server Authentication and Trust
When first connecting to a server over the internet, your device needs a way to ensure the server is who it claims to be. This prevents MITM attacks where a hacker poses as a legitimate website or server.
Public key cryptography provides the solution. The server sends your device a public key to encrypt communication. As long as that public key is valid and trusted, data sent between your device and the server remains secure.
Your device builds trust by remembering the public key of the servers you connect to. The first time you encounter a new server, authenticity cannot be verified. But your device stores the key, then recognizes it on subsequent connections.
If you try to reconnect but get a different public key, your device will warn that authenticity cannot be confirmed since the key changed unexpectedly.
Clearing Out Old Known Hosts
When attempting to visit a website and getting the authenticity of host error, one quick solution is to clear out your device’s stored “known hosts” data.
Web browsers and operating systems keep track of website domains they have connected to in the past. Clearing out old domain data forces your system to grab a fresh, up-to-date public key upon connecting.
Clearing Known Hosts in a Web Browser
All major web browsers have an option to clear cached site data:
- Chrome: Go to Settings > Privacy and Security > Clear Browsing Data
- Firefox: Go to Options > Privacy & Security > Clear Data
- Safari: Go to Preferences > Privacy > Manage Website Data
Be sure cookies and site data are selected then clear. This will wipe your browser’s domain cache including any outdated keys.
Clearing Known Hosts in Linux/UNIX
For SSH connections in a terminal, you can manually remove the outdated key.
Open the known_hosts file and delete the line containing the outdated key for that domain. In Linux/UNIX it is found at ~/.ssh/known_hosts.
Now when you reconnect, a fresh key exchange will occur and authenticity can be verified.
Permanently Trusting a Key
If clearing old host data does not work, you may need to permanently trust the new public key for that website or server.
Trusting Server Keys on Websites
Many websites now use TLS certificates to validate identity. If you receive an authenticity warning in your browser:
- Click the lock or warning icon near the URL bar
- View and verify the certificate details
- Confirm you want to trust the identity (proceed at own risk)
- Check box to permanently store the new key
Chrome, Firefox, and other browsers include these basic options to review and trust certificates.
Trusting SSH Server Keys
With SSH connections, just deleting the existing key is not enough – you need to store the new key.
When receiving the authenticity error on an SSH server, proceed through the prompt:
> The authenticity of host ‘192.168.1.10’ cannot be established.
RSA key fingerprint is 1234 5678 9abc def0 1234 5678 9abc def0.
Are you sure you want to continue connecting (yes/no)? (TYPE yes)
> Please type ‘yes’ or ‘no’: yes
> Warning: Permanently added ‘192.168.1.10’ to the list of known hosts.
This permanently stores the new public key and won’t prompt again next time.
Checking for Tampering on Websites
If you want to double-check for tampering on a website before permanently trusting its key, you can verify the new certificate:
- Compare issuer name – This should match the official certificate authority
- Check expiration date – Very short or long durations may indicate issues
- Confirm encryption algorithm – Should use modern methods like SHA-256
- Review domain names – All listed domains should match that site
- Check revocation status – Confirm the certificate has not been revoked
While mistakes can happen, drastic certificate changes or domains not matching the site could indicate an attack. Proceed at your own risk.
When Keys Change on Legitimate Websites
Note that it’s common for major websites to periodically update their TLS certificates and keys. So you may occasionally have to re-verify authenticity on sites you have visited before.
As long as the new certificate checks out, this is a standard procedure and not a cause for concern.
Troubleshooting SSH Authenticity Issues
For SSH connections, if deleting the existing key and storing the new one does not resolve the authenticity error, a few issues may be the cause:
- Server reinstalled or rebuilt – This changes the public key
- Old client config files – Contains outdated host keys
- Load balancer added – Proxy IP sends a new key that must be stored
- Active MITM attack – Malicious actor actively impersonating
Try SSHing from another clean device to see if the issue persists. Check for anomalies in network traffic during connection.
As a last resort, for internal servers, the authenticity check can disabled by using the -o StrictHostKeyChecking=no flag. But this also disables a key security protection.
The Verdict: Authenticity Errors Must Be Taken Seriously
That dreaded “authenticity of host cannot be established” message should never be ignored. Blindly allowing uncertain connections leaves you open to serious attacks.
But in many cases, the issue can be easily resolved by removing outdated data and storing new verified keys. Understanding this public key authentication process helps diagnose when an authenticity error points to standard maintenance vs signs of tampering.
With attention and care, those frustrating authenticity errors don’t have to block access – you can fix them and confidently connect to websites and servers.
