How To Fix ECDSA host key Warning Error In Linux

I have been using Oracle Virtualbox for years to deploy many virtual machines for testing and learning purposes. The other day I tried to connect to one of my remote server that runs with Arch Linux via SSH using command:

$ ssh sk@192.168.1.102

Here, sk is my remote Arch Linux server's username, and 192.168.1.102 is the Arch Linux IP address.

After running the above command, I got the following warning message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:UX/eJ3HZT9q6lzAN8mxf+KKAo2wmCVWblzXwY8qxqZY.
Please contact your system administrator.
Add correct host key in /home/sk/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/sk/.ssh/known_hosts:4
ECDSA host key for 192.168.1.102 has changed and you have requested strict checking.
Host key verification failed.

ECDSA host key has changed and you have requested strict checking. Host key verification failed.

I can't SSH to the Arch Linux system. I tried to login with alternative username, but I got the same result as shown above.

This is actually not an error message. It is just a security notification that indicates the ECDSA host key for the given remote system has changed since you last connected. As you might already know, when we access a remote system for the first time from a local system via SSH, a fingerprint for the ECDSA key sent by that remote host is cached and stored in $HOME/.ssh/known_hosts file in our local system.

When the identity (fingerprint) has changed after you reinstalled the remote system or assigned a same IP address for multiple remote systems, the above warning message shows up.

Fix ECDSA host key Warning Error In Linux

To work around this issue, first we need to update the cached ECDSA host key of your remote system in your local system's known_hosts file. As you might know, usually, the host keys will be stored in the /home/yourusername/.ssh/known_hosts file.

To remove the cached key, use the following command:

$ ssh-keygen -R <remote-system-ip-address>

In our case, the remote system's IP is 192.168.1.102, so let us use the following command to remove the host key from the "known_hosts" file.

$ ssh-keygen -R 192.168.1.102

Sample output:

# Host 192.168.1.102 found: line 4
/home/sk/.ssh/known_hosts updated.
Original contents retained as /home/sk/.ssh/known_hosts.old

Done!

Now, try again to ssh to the remote system with command:

$ ssh sk@192.168.1.102

Type 'Yes' and hit ENTER to update the host key of your remote system in your local system's known_hosts file.

The authenticity of host '192.168.1.102 (192.168.1.102)' can't be established.
ECDSA key fingerprint is SHA256:UX/eJ3HZT9q6lzAN8mxf+KKAo2wmCVWblzXwY8qxqZY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.102' (ECDSA) to the list of known hosts.
sk@192.168.1.102's password: 
Last login: Thu May 19 18:01:24 2016
[sk@server ~]$

Add ECDSA key fingerprint to the list of known hosts

That's it. Now, you will be able to ssh to your remote Arch Linux system without any problem. This method will work not only on Arch Linux, but also on other Linux distributions as well.