Seeing the “Host key verification failed” error when trying to connect to a server can be frustrating. But don’t worry – in most cases, this SSH error is easy to fix.
In this guide, we’ll explain what causes the host key verification failed error when it commonly appears, and the steps you can take to successfully resolve it. With the right troubleshooting, you’ll be back to seamlessly accessing your remote server.
What Triggers the “Host Key Verification Failed” SSH Error?
When you connect to a remote server over SSH, your client first validates the server’s host key. This is a unique cryptographic key that acts like a “fingerprint” to identify the server.
If the host key doesn’t match what your SSH client expects, you’ll get the host key verification failed error.
There are two main reasons this SSH error occurs:
- Server Host Key Changed – The remote server has a new host key. This often happens after the server OS or SSH installation is reinstalled.
- Man-in-the-Middle Attack – Someone is intercepting the connection and using their own host key. This is very rare but possible.
So in most cases, the host key simply changed on the server which triggers the error. Let’s look at how to fix it.
Fixing “Host Key Verification Failed” by Deleting Old Host Keys
The easiest way to resolve the host key verification issue is to delete your SSH client’s existing host key for that server.
This forces your SSH client to accept the new key. Here’s how to clear out old host keys:
For Linux/macOS
- Open your terminal and enter: ssh-keygen -R server_ip_or_domain
- Replace “server_ip_or_domain” with your server’s information
- Enter “yes” to delete the old key for that server
For Windows
- Open the Registry Editor and go to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
- Delete any keys that reference the server IP or domain
- Launch PuTTY and connect again to generate the new key
- Once you’ve cleared the old key, the client will accept the new host key from the server.
Fixing the Error by Verifying the New Host Key
Deleting old host keys is quick, but risky if a man-in-the-middle attack is occurring.
For greater security, you should verify a host key change is legitimate before accepting it. Here’s how:
- Check Server Logs – Review server updates and SSH logs to confirm the host key changed during maintenance like a reinstall.
- Key Fingerprint – Get the new key fingerprint from the server admin and compare it to what your client sees.
- Out-of-Band Verification – Use a secondary communication method like phone or email to confirm the key change from the server admin.
- Port Scan – Scan the server’s open ports to check for signs of an intercepting application.
Taking these steps provides external confirmation the new host key is valid. You can then safely delete old keys and connect with improved security.
Preventing the Error By Managing Server Host Keys
To avoid the host key verification failed error in the first place, proper host key management is crucial:
- Back-Up Host Keys – Save a copy of SSH host keys to restore after any server rebuild.
- Use SSH Keygen – Regenerate keys using the ssh-keygen tool instead of the default installation.
- Configure SSH to Save Host Keys – SSH can be configured to retain keys between server reboots.
- Use Private/Internal DNS Names – This prevents public IP changes from affecting SSH connections.
- Notify Clients of Changes – Alert users to expect a new key after infrastructure changes.
Planning ahead for host key changes will prevent the error from interrupting access to your server.
Troubleshooting Other Causes of the Error
Sometimes the error is triggered not by a changed host key, but by other SSH configuration issues:
- Update SSH Client – Old/buggy SSH can cause problems. Upgrade to the latest release.
- Modify SSH Config – Tweaking StrictHostKeyChecking and HashKnownHosts options may help.
- Disable Proxy – Proxies can interfere with SSH connections, and bypass them when connecting.
- Flush DNS Cache – A stale DNS cache could prevent resolving the server name.
- Check Network – Confirm network gear like firewalls or VPNs isn’t blocking SSH.
- Reset Server SSH – Wipe and reconfigure SSH on the server side to rule out issues.
Ruling out these other potential factors can resolve stubborn host key errors.
Using SSH Tunneling to Bypass the Error
If you need to connect through a server that’s still triggering the host key verification failed error, SSH tunneling provides a workaround.
You can tunnel through an intermediary “jump” server to reach the target server:
- Set up tunnel – With PuTTY, configure tunneling from your local machine through the jump host to the remote target.
- Disable verification – Specify StrictHostKeyChecking=no in SSH configs to disable checking.
- Connect through the tunnel – SSH into jump host, then through the tunnel to target without verification errors.
- Restrict access – Limit source IPs that can tunnel to prevent abuse.
Tunneling sidesteps the host key issue for emergency access, buying you time to cleanly resolve the root cause.
Replacing Compromised Server Keys
In rare cases where a malicious third-party did modify the server’s keys, you’ll need to fully replace the compromised keys:
- Reinstall server OS – Completely reinstalling the server’s operating system resets all host keys.
- Regenerate keys – Use ssh-keygen to create brand new public and private key pairs.
- Revoke previous keys – Inform users to remove compromised keys from their SSH clients.
- Issue new keys – Distribute the new certified key fingerprints to users.
- Enhance security – Update access controls, firewall rules, OTP requirements, etc. to prevent another attack.
This will completely flush out the tampered keys and restore secure access with new trusted keys.
Conclusion
The “Host key verification failed” error essentially means your SSH client sees an unexpected fingerprint for the server you’re accessing. In most cases, it’s caused by something as simple as the server installing updated SSH with a new host key pair.
Now that you know the main reasons for the error, as well as different ways to resolve it and manage host keys properly, you can troubleshoot the issue quickly. Verifying server changes, tunneling through jump hosts, and resetting compromised keys will get your SSH connections back up securely.
With the right approach, that “Host key verification failed” message doesn’t have to halt your remote server administration! By understanding what causes it and how to fix it properly, the error becomes just a minor blip rather than a major blockade.
