Troubleshooting
Problem
The SSH connectivity to a remote host fails due to mismatching SSH keys with errors such as "Host key verification failed."
Symptom
Trying to establish an SSH session to the host fails with the following error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:JwHDVTX+Sl0K3+WDY3rOm5E5ww/TIlQnz1v7r9EUC8w.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:X
ECDSA host key for X.X.X.X has changed and you have requested strict checking.
Host key verification failed.
Cause
The remote host SSH keys changed. This issue can occur during the migration process.
Resolving The Problem
To resolve the error, use the following steps:
- SSH to the QRadar Console as the root user.
- SSH to the remote host to see the error. Replace <remote_host> with the remote host IP or hostname:
ssh <remote_host>
Note the file and line of the Offending ECDSA key. In this example, it is /root/.ssh/known_hosts:4.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:JwHDVTX+Sl0K3+WDY3rOm5E5ww/TIlQnz1v7r9EUC8w. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:4 ECDSA host key for <Remote Host IP> has changed and you have requested strict checking. Host key verification failed.
- Remove the offending key in /root/.ssh/known_hosts by using the ssh-keygen command. Replace <remote_host> with the remote host IP or hostname:
ssh-keygen -R <remote_host>
# Host <remote_host> found: line 4 /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old
- SSH to the remote host again to confirm whether the issue is resolved.
ssh <remote_host>
Result
Administrator resolved the issue with the offending key and is now able to SSH into the remote host.
Note: If the SSH fails with the following error message, see QRadar: SSH to host fails with error "No ECDSA host key is known for <Remote Host IP> and you have requested strict checking".ERROR: No ECDSA host key is known for <Remote Host IP> and you have requested strict checking. ERROR: Host key verification failed.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 May 2023
UID
ibm16998657