Raspberry Pi SSH - Host Identification Changed Issue

The Founder
Jul 18
4 min read

Reinstalled your Raspberry Pi OS?

If so, this is likely the cause.

Introduction

One issue that may appear when accessing the SSH connection to your Pi is the warning of "REMOTE HOST IDENTIFICATION HAS CHANGED". In this quick tutorial, I will walk through the most common fix and explain why this is needed.

An example of the warning message being discussed. Grey areas should be substituted with your information.

What is This Warning?

The Secure Shell tool (SSH) provides an encrypted connection to another computer over a network. This is a convenient tool for remotely accessing a terminal or managing resources on another computer, such as a server, especially if the network itself is not secure. On many systems, such as Windows 10, this tool is pre-installed in the "CMD" command line application.

An SSH connection is authenticated using Public Key Encryption. This warning is displayed to indicate that a discrepancy has occurred while attempting to connect to the target device using this encryption method.

What is Public Key Encryption?

Essentially, each computer has two encryption keys paired together. One key is used to encrypt a message, and the other is used to decrypt it. The advantage is that the same key cannot be used for both functions, making it very easy for people to encrypt a message intended for you, but nearly impossible for someone else to maliciously decode it.

Without diving into the complexities behind how the encryption works, all you need to know is:

Each device has a unique "Public" and "Private" encryption key.
The message receiver's "Public Key" is available to everyone wanting to send them a message.
The message receiver's "Private Key" is only known to the receiver.
The receiver's public key is used to encrypt a message that only the receiver can decrypt.
Only the correct private key can be used to decrypt that message.

Through this, anyone can encrypt a message using someone's "Public Key", but only the receiver can decrypt that message, though using their secret "Private Key". The benefit of Public Key Encryption is that you never need to share any password or key to decode a message, mitigating the risk of that all-important code falling into the wrong hands.

So, What Does This Warning Mean?

When a connection is established between two computers over SSH, these devices exchange their respective public keys. These keys are logged to make connecting to each other in the future much easier. However, this problem arises when the keys it used before are different from what it is using now.

The cruciality of this warning is due to the fact that in an ideal world, these keys should never change, and the fact that it has is suspicious. This can occur for several reasons, one of which is a malicious attempt to intercept messages by pretending to be the sender or recipient. The terminal warns of this risk by displaying "Someone could be eavesdropping on you right now (man-in-the-middle attack)!"

However, there are more innocent reasons this issue may appear.

A Common Cause for This Issue

When you install an operating system onto your Pi, such as the Debian-based Raspberry Pi OS, these encryption keys are generated during setup. If you change your OS or wipe your Pi for any other reason, the new keys won't match those used before, even if you give the Pi the same hostname.

Therefore, when you try to connect to your Pi (e.g. named "SuperCoolPiServer") through SSH on your connecting device (e.g. your laptop), your device recognises that what it is talking to may have the same hostname or IP address, but the keys are different from what it expects.

So, how do we fix this? Simple! We need to tell your controlling device (e.g. your laptop) to forget these old keys and exchange the new ones.

Advertisements provided by Google AdSense

Step 1 - Verify Connection to Your Pi

One thing we can do before we make any changes is to see if we can contact our Raspberry Pi. Using the ping tool, we can send an echo request to our Pi. Essentially, we transmit a message to the Pi and await a reply. If we don't get a reply, then there may be an issue. This can help us verify that the hostname and IP address are correct, and that no physical network disruptions have occurred either.

A successful attempt at ping'ing the Raspberry Pi using the hostname, verifying the target device is reachable, and the entered details are correct.

Generally, the ping tool should make 4 attempts to contact the target device, with each attempt generating a response time. Each response time is measured in milliseconds (up until a max waiting timeout period). If response times are inconsistent or excessive, this could also indicate an issue. In some circumstances, the ping tool may make a vast or seemingly endless number of attempts; this can typically be cancelled by pressing Ctrl+C in the terminal.

If the ping is successful and the IP address matches what we expected, then we have a suitable connection to proceed.

Step 2 - Remove the Old Key Pairing

To remove the old pairing between our devices, we can use the ssh-keygen command with the "-R" extension to wipe the logged key relationship for a specific device stored on our device.

To perform this, run the following code, substituting your own values:

ssh-keygen -R <hostname/IP here>

On completion, your screen should display something similar to the following:

Removing the outdated encryption key information relating to the target device.

Step 3 - Establish the New Key Pairing

With the old keys cleared, we can now renew our relationship by connecting to the target device and exchanging the new keys automatically.

Making a new SSH connection to the target device, exchanging the encryption key information.

If successful, you should see that the user account and directory displayed have changed, matching the username and hostname of the target device.

Advertisements provided by Google AdSense