---
title: "SSH and RSA key warnings after infrastructure relaunch"
date: "2024-02-14T06:18:38+00:00"
summary: "Resolve SSH and RSA key warnings after infrastructure relaunch. Learn to update known_hosts and verify fingerprints for secure access."
image:
type: "page"
url: "/acquia-cloud-platform/ssh-and-rsa-key-warnings-after-infrastructure-relaunch"
id: "a5fe8fb0-6b2a-439c-9f47-42d04260683a"
---

Infrastructure with SSH capabilities has a unique host key fingerprint. Frequently, when relaunching an infrastructure, the host key fingerprint changes because the infrastructure is running on completely new infrastructure after the relaunch. When you try to connect to this infrastructure [using SSH](/acquia-cloud-platform/manage-apps/command-line) after a relaunch, you may see messages like the following:

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be
    eavesdropping on you right now (man-in-the-middle attack)! It is also
    possible that a host key has just been changed. The fingerprint for the RSA
    key sent by the remote host is [truncated]. Please contact your system
    administrator. Add correct host key in /home/username/.ssh/known_hosts to
    get rid of this message. Offending RSA key in
    /home/username/.ssh/known_hosts:24 Password authentication is disabled to
    avoid man-in-the-middle attacks. Keyboard-interactive authentication is
    disabled to avoid man-in-the-middle attacks. Agent forwarding is disabled to
    avoid man-in-the-middle attacks.

While this warning message sounds dire, it is frequently harmless and can be disregarded. In most cases, the only change is innocuous: a change to the infrastructure.

Impact on CI/CD and Other Automation

When infrastructure is relaunched or rebooted, the host's SSH and RSA key fingerprints change. This is expected but can cause disruptions for automated processes that rely on persistent host keys.

CI/CD scripts, Git-based automation, and other automated tools often use strict host key checking to prevent man-in-the-middle attacks. When a server's key changes, these tools fail to connect, interpreting the new key as a potential security threat. This can cause your build, deployment, or other automated tasks to fail.

To ensure your automation continues to function after scheduled maintenance, you must update your scripts to gracefully handle these occasional key changes. While Acquia does not prescribe specific scripting methods, your scripts might need to be modified to either temporarily disable strict host key checking or programmatically accept the new host key.

After an infrastructure relaunch, your RSA key fingerprint changes, which might lead to an SSH warning when you try to access your server. You must update your `known_hosts` file or allow the new fingerprint to ensure secure access. To prevent the key fingerprint warning message from recurring, use one of the following methods:

*   **Remove the outdated host key using** `ssh-keygen`**.**
    
    Run the following command to remove the host fingerprint for the previous hardware:
    
        ssh-keygen -R [hostname]
    
    where `[hostname]` is the hostname for your previous infrastructure.
    
*   **Edit or remove the known\_hosts file.**
    
    On a UNIX system, you can remove the file `~/.ssh/known_hosts` entirely; however, removing this file will cause the infrastructure you SSH into to prompt you to accept new keys. You can instead edit the `known_hosts` file and remove the old infrastructure key. Ensure you back up the file before you edit it.
    
    Windows users may find the same file at `c:\users\username\.ssh\known_hosts`, especially if you are using something like [Git Bash](https://www.educative.io/edpresso/how-to-install-git-bash-in-windows).
    
*   **Turn off StrictHostKeyChecking.**
    
    Add `StrictHostKeyChecking no` to your `~/.ssh/config` file, or `-o StrictHostKeyChecking=no` to the SSH command. 
    

*   Caution
    
    For security reasons, Acquia does not recommend that you disable host key checking.
    
    To verify the fingerprint of an infrastructure, [create a Support ticket](/service-offerings/support#contact-acquia-support).
    
    The next time you sign in after removing the outdated `known_hosts` entry, you will see a prompt asking you to approve adding the new host key fingerprint to your list of known hosts.
    
    Acquia’s public SSH key fingerprints in Cloud Next
    --------------------------------------------------
    
    In Cloud Next environments, you can use public key fingerprints to validate a connection to a remote server. Acquia’s public key fingerprints are as follows:
    
    Algorithm
    
    Key
    
    RSA
    
    SHA256:yxVlCD43Vt8tTJ2Q92+ySVYi8dzNOytvwrjrgBLBNHQ
    
    ECDSA
    
    SHA256:eabRcL6rQ+eo4+rc/7lUW0j8+pS+/27ufFO/9zjZepM
    
    ED25519
    
    SHA256:x2Gqkq4ToeB8kpDjUsJNLexo94Xz5ZNCqbFEkvhWbfM