Loading...

SSH and RSA key warnings after infrastructure relaunch

Infrastructure with SSH capabilities has a unique host key fingerprint. Frequently, when relaunching an infrastructure, the host key fingerprint changes because the infrastructure is running on completely new infrastructure after the relaunch. When you try to connect to this infrastructure using SSH after a relaunch, you may see messages like the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be
eavesdropping on you right now (man-in-the-middle attack)! It is also
possible that a host key has just been changed. The fingerprint for the RSA
key sent by the remote host is [truncated]. Please contact your system
administrator. Add correct host key in /home/username/.ssh/known_hosts to
get rid of this message. Offending RSA key in
/home/username/.ssh/known_hosts:24 Password authentication is disabled to
avoid man-in-the-middle attacks. Keyboard-interactive authentication is
disabled to avoid man-in-the-middle attacks. Agent forwarding is disabled to
avoid man-in-the-middle attacks.

While this warning message sounds dire, it is frequently harmless and can be disregarded. In most cases, the only change is innocuous: a change to the infrastructure.

After an infrastructure relaunch, your RSA key fingerprint changes, which might lead to an SSH warning when you try to access your server. You must update your known_hosts file or allow the new fingerprint to ensure secure access. To prevent the key fingerprint warning message from recurring, use one of the following methods:

  • Remove the outdated host key using ssh-keygen.

    Run the following command to remove the host fingerprint for the previous hardware:

    ssh-keygen -R [hostname]

    where [hostname] is the hostname for your previous infrastructure.

  • Edit or remove the known_hosts file.

    On a UNIX system, you can remove the file ~/.ssh/known_hosts entirely; however, removing this file will cause the infrastructure you SSH into to prompt you to accept new keys. You can instead edit the known_hosts file and remove the old infrastructure key. Ensure you back up the file before you edit it.

    Windows users may find the same file at c:\users\username\.ssh\known_hosts, especially if you are using something like Git Bash.

  • Turn off StrictHostKeyChecking.

    Add StrictHostKeyChecking no to your ~/.ssh/config file, or -o StrictHostKeyChecking=no to the SSH command. 

  • To verify the fingerprint of an infrastructure, create a Support ticket.

    The next time you sign in after removing the outdated known_hosts entry, you will see a prompt asking you to approve adding the new host key fingerprint to your list of known hosts.

    Acquia’s public SSH key fingerprints in Cloud Next

    In Cloud Next environments, you can use public key fingerprints to validate a connection to a remote server. Acquia’s public key fingerprints are as follows:

    AlgorithmKey
    RSASHA256:yxVlCD43Vt8tTJ2Q92+ySVYi8dzNOytvwrjrgBLBNHQ
    ECDSASHA256:eabRcL6rQ+eo4+rc/7lUW0j8+pS+/27ufFO/9zjZepM
    ED25519SHA256:x2Gqkq4ToeB8kpDjUsJNLexo94Xz5ZNCqbFEkvhWbfM

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Cloud Platform Support
Back to Section navigation
Back to Site navigation