https://homelab.nbkelley.com/tags/ssh/ Recent content in Ssh on homelab Hugo en Fri, 01 May 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/infrastructure/ssh_host_key_management/ Fri, 01 May 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/infrastructure/ssh_host_key_management/ <h1 id="ssh-host-key-management--troubleshooting">SSH Host Key Management &amp; Troubleshooting<a class="anchor" href="#ssh-host-key-management--troubleshooting">#</a></h1> <h2 id="what-was-established">What Was Established<a class="anchor" href="#what-was-established">#</a></h2> <p>Standard procedures for resolving SSH <code>REMOTE HOST IDENTIFICATION HAS CHANGED</code> warnings, which occur when a host&rsquo;s SSH fingerprint differs from the locally stored <code>known_hosts</code> entry. This typically happens after a server reinstall, OS upgrade, or SSH key regeneration.</p> <h2 id="key-decisions--commands">Key Decisions &amp; Commands<a class="anchor" href="#key-decisions--commands">#</a></h2> <ul> <li><strong>Verify Legitimacy</strong>: Always confirm with a system administrator or check server logs if a key change is unexpected, as it could indicate a man-in-the-middle attack.</li> <li><strong>Remove Stale Keys</strong>: Use <code>ssh-keygen -R &lt;hostname&gt;</code> to safely remove the outdated entry from <code>~/.ssh/known_hosts</code>.</li> <li><strong>Targeted Removal</strong>: If the error specifies a line number (e.g., line 9), you can remove it via <code>sed -i '' '9d' ~/.ssh/known_hosts</code> or manually edit the file.</li> <li><strong>Pre-populate Keys</strong>: In managed environments, use <code>ssh-keyscan &lt;host&gt; &gt;&gt; ~/.ssh/known_hosts</code> to automate key acceptance.</li> <li><strong>Security Best Practice</strong>: Prefer certificate-based authentication in sensitive environments to bypass host key checking entirely.</li> </ul> <h2 id="current-configuration">Current Configuration<a class="anchor" href="#current-configuration">#</a></h2> <ul> <li><strong>Host Encountered</strong>: <code>proxy</code> (192.168.1.222, Nginx Proxy Manager)</li> <li><strong>User Context</strong>: Commands executed from macOS (<code>NK---Galadriel</code>) as user <code>natekelley</code>.</li> <li><strong>Fingerprint Example</strong>: <code>SHA256:k5j8V356rpQXapznIs12MeBEWHfZYwfeicXdNNWFyOI</code> (ED25519)</li> </ul> <h2 id="historical-notes">Historical Notes<a class="anchor" href="#historical-notes">#</a></h2> <ul> <li>Initial troubleshooting documented on 2025-11-17. The <code>proxy</code> host likely had its underlying VM/container rebuilt or its SSH configuration reset, triggering the warning.</li> </ul> <h2 id="open-questions">Open Questions<a class="anchor" href="#open-questions">#</a></h2> <ul> <li>Should SSH host keys be version-controlled or managed via a configuration management tool (e.g., Ansible) to prevent future mismatches?</li> </ul> <h2 id="related-pages">Related Pages<a class="anchor" href="#related-pages">#</a></h2> <ul> <li><a href="https://homelab.nbkelley.com/docs/networking/proxy-management/">Proxy Management &amp; Cloudflare Tunnels</a></li> <li><a href="https://homelab.nbkelley.com/docs/infrastructure/network_troubleshooting/">Troubleshooting Network Interface Changes</a></li> </ul> <h2 id="sources">Sources<a class="anchor" href="#sources">#</a></h2> <ul> <li><code>ingested/chats/111-Check and Install Git, Go, Dart Sass on Ubuntu.md</code></li> <li><code>ingested/chats/104-SSH Host Key Change Warning and Fix.md</code></li> <li>Historical DeepSeek conversation: SSH Host Key Change Warning and Fix (2025-11-17)</li> </ul>