problem hub
Read-only firstSSH known_hosts changed warning
Verify stored and presented host keys out of band before editing known_hosts.
Safest first command
ssh-keygen -F hostname
Before you run this
Expected output: Known_hosts entries for the hostname, or no output if none are found.
When not to use it: Do not delete known_hosts blindly; a changed key can indicate a rebuild, DNS mistake, load balancer change, or man-in-the-middle risk.
Expected output example
found in /home/user/.ssh/known_hosts:12
example ssh-ed25519 AAAAC3Nza...
How to read the result
A stored key proves what you trusted before. It does not prove the new key is safe. Compare the presented key with a trusted console, provider fingerprint, or admin channel.
What to check next
Stored key exists and SSH warns changed
Means: The host key presented now differs from the stored trust record.
Next step: Get the presented key for out-of-band comparison.
keyscan shows a different key
Means: This may be expected after rebuild or a real security problem.
Next step: Verify fingerprint through a trusted channel.
Multiple host entries exist
Means: Aliases, IPs, or hashed entries may complicate cleanup.
Next step: Inspect matching known_hosts lines.
known_hosts decision tree
Find the stored key, collect the presented key, and verify the fingerprint out of band before editing known_hosts. Treat the warning as a trust decision, not a nuisance.
ssh-keygen -F hostnamessh-keyscan -t ed25519 hostnamegrep -n 'hostname' ~/.ssh/known_hosts
Bad fixes to avoid
Do not delete the entire known_hosts file. Do not accept a changed key on an untrusted network without verification. Do not ignore DNS or load-balancer changes.
Common causes
- Server rebuilt
- DNS now points to another host
- Load balancer or bastion changed
- Known_hosts has stale alias
- Possible man-in-the-middle
What not to change yet
- Do not delete known_hosts blindly.
- Do not trust keyscan alone.
- Do not accept changed host keys without verification.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
supporting commands
Command path
Guides and drills
- SSH publickey denied hub Use when host identity is trusted but user authentication fails.