Back to problems

problem hub

Read-only first

SSH known_hosts changed warning

Verify stored and presented host keys out of band before editing known_hosts.

Safest first command

ssh-keygen -F hostname

Before you run this

Expected output: Known_hosts entries for the hostname, or no output if none are found.

When not to use it: Do not delete known_hosts blindly; a changed key can indicate a rebuild, DNS mistake, load balancer change, or man-in-the-middle risk.

Expected output example

found in /home/user/.ssh/known_hosts:12
example ssh-ed25519 AAAAC3Nza...

How to read the result

A stored key proves what you trusted before. It does not prove the new key is safe. Compare the presented key with a trusted console, provider fingerprint, or admin channel.

What to check next

Stored key exists and SSH warns changed

Means: The host key presented now differs from the stored trust record.

Next step: Get the presented key for out-of-band comparison.

Find a Host in known_hosts

keyscan shows a different key

Means: This may be expected after rebuild or a real security problem.

Next step: Verify fingerprint through a trusted channel.

Scan a Host SSH Key

Multiple host entries exist

Means: Aliases, IPs, or hashed entries may complicate cleanup.

Next step: Inspect matching known_hosts lines.

Find known_hosts Lines by Name

known_hosts decision tree

Find the stored key, collect the presented key, and verify the fingerprint out of band before editing known_hosts. Treat the warning as a trust decision, not a nuisance.

  1. ssh-keygen -F hostname
  2. ssh-keyscan -t ed25519 hostname
  3. grep -n 'hostname' ~/.ssh/known_hosts

Bad fixes to avoid

Do not delete the entire known_hosts file. Do not accept a changed key on an untrusted network without verification. Do not ignore DNS or load-balancer changes.

Common causes

  • Server rebuilt
  • DNS now points to another host
  • Load balancer or bastion changed
  • Known_hosts has stale alias
  • Possible man-in-the-middle

What not to change yet

  • Do not delete known_hosts blindly.
  • Do not trust keyscan alone.
  • Do not accept changed host keys without verification.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills