394

Is it possible to remove a particular host key from SSH's known_hosts file?

I usually end up deleting the entire known_hosts file, which I have no problems with doing, but just out of curiosity, is it possible to remove just a single entry?

I opened the known_hosts file, but I am struggling to understand its contents.

Below is the message I faced, which led me to ask this question:

Add correct host key in /home/wissen16/.ssh/known_hosts to get rid of this message.
Offending key in /home/wissen16/.ssh/known_hosts:1
RSA host key for foo.com has changed and you have requested strict checking.
Host key verification failed.
Braiam
  • 67,791
  • 32
  • 179
  • 269
theTuxRacer
  • 16,185

11 Answers11

642

Use this command to remove entries from known_hosts:

ssh-keygen -R hostname

or if the host IP is available

ssh-keygen -R <Host_IP>
Sachin
  • 155
Takkat
  • 142,284
  • 30
    It works with an IP address as well. For instance, I have a DNS host shortcut for my Web server. To remove a conflict I had between the keys for the custom hostname and the IP address, I had to remove the entries for both.So ssh-keygen -R xxx.xxx.xxx.xxx. – StrangeElement Nov 13 '12 at 21:10
  • 1
    As @StrangeElement says, sometime is posible that you have to remove also IP host apart from hostname. – Gonzalo Cao Feb 10 '15 at 09:05
  • 6
    Plus, it keeps a backup automatically (on my osx machine : Original contents retained as /Users/nha/.ssh/known_hosts.old, assuming it is the same for Ubuntu). – nha Nov 24 '15 at 13:37
  • 28
    Plus, if you are using non-standard ssh port, use this format ssh-keygen -R [ssh.sssshh.com]:1234 – Shiji.J Dec 10 '15 at 00:04
  • 2
    The best answer ever for this question. Works like a charm – bademba Mar 10 '17 at 09:31
  • how to remove by line number? – eri Dec 30 '17 at 18:41
  • @eri You can use sed, see other answers. – Melebius Sep 10 '18 at 13:24
  • some, I presume newer, versions of ssh even suggest using this command when you connect to a host which presents the wrong keys. – Paul M Jul 11 '19 at 12:30
  • An idea why ssh-keygen is responsible for that task rather than ssh-keyscan? – audeoudh Oct 16 '19 at 10:32
  • @Shiji.J I had trouble removing that kind of format in known_hosts. What worked for me is ssh-keygen -R '[ssh.ssssh.com]:1234'. Note the quotes around hostname and port. – Dinko Pehar Mar 11 '20 at 14:33
  • In case it is located in another file like known_hosts2, we can use the option -fas in ssh-keygen -R 192.168.0.24 -f known_hosts2. – Ludovic Kuty Jun 17 '20 at 07:56
  • For those who are interested in connecting to a linux host from a windows client, note that ssh-keygen -R option doesn't work (at least on my machine). Instead I have to employ an alternate mechanism: ssh-keyscan -t rsa <hostname> | Out-File ~/.ssh/known_hosts -Append -Encoding ASCII; – mattgately Jan 04 '21 at 18:00
36

Yes, you can remove just one key. Just open it in an editor and delete the offending line. The number after the colon in the error message is the line number, so that's the line to delete -- line 1 in your example..

Mike Scott
  • 2,194
18

I have only recently started using host key's, but when I have messed with them it is generally one key per line so backup the file and remove them one at a time until you find the right one. Then add the others back. Bit of a long way to do it, but should work.

Also based on that error, and with no idea what so ever, it could be the first host key in the file that is the problem so open up the file with vim

vim ~/.ssh/known_hosts

and hit

dd

then save it.

Buddy Lindsey
  • 305
5

This one worked for me. This is the default method shown in the display when tried to add a known host.

ssh-keygen -f "/home/noob/.ssh/known_hosts" -R "172.16.132.132"

Just you have to change the IP address and host file path here.

Mobarak Hosen Shakil
  • 51
  • 1
  • 4
4

Using ssh-keygen -R hostname will not always work. If you have a newer version of SSH that is "hiding" the hostnames to prevent ssh-agent hijacking, apparently ssh-keygen is unable to unhash the hostname.

For example, I have a host called build-node-01 and I have connected to it and accepted the key. I then rebuild it from scratch, getting a new host fingerprint and I try to reconnect, I will get a warning that there is a conflict on line X (say 3). I run ssh-keygen -R hostname, but the next time I try to connect I still get a warning that there is a conflict. I examined the file only to discover that the hostname was hashed and showed up as [1] Bu4Ch@R@4D0M57uFF instead of a readable hostname.

In this case the only way to successfully get the offending host removed was to use

sed -i 'xd' ~/.ssh/known_hosts

To take this sed one step further, you may wish to make a backup of the known_hosts in case you delete the wrong line, in this case just add a .bak (or any extension) to the -i option to create a backup with that extension. Using ssh-keygen does this automatically.

sed -i.bak 'xd' ~/.ssh/known_hosts
dragon788
  • 1,556
  • 7
    This is not correct. ssh-keygen -R {hostname} will work, even when hostnames are 'hidden' (hashed). Still, yes, one can delete the entry by number (e.g., 10th entry via sed -i.bak 10d ~/.ssh/known_hosts), but that's not typically necessary. It could be that a non-standard port was used, in which case, you may have to format the command as (note quotes): ssh-keygen -R '[hostname]:2222' – michael Sep 20 '16 at 09:13
  • Good to know @michael_n, it's very likely that it was a non-standard port that was affecting my ability to remove the entry. I also should note that if you have accepted multiple fingerprints for a host, I'm not sure if it removes ALL entries at once, or just one at a time. – dragon788 Sep 20 '16 at 15:06
2

If you want to remove host key for certain ip, then this will help:

ssh-keygen -f "~/.ssh/known_hosts" -R "49.12.89.136"

Anish Sapkota
  • 121
2

Just to share another clean and easy answer I just found. Removing the hostname is out for me, as the known_hosts file is hashed. However, I COULD manually edit out the host entry based on the line number in the error message. As noted by Mike Scott previously, the offending hostname line number is in the error message.

Or, I can do this. From here: how to fix offending key in ssh known_hosts file

I got this bit of cli magic

sed -i 'xd' ~/.ssh/known_hosts

Replace the x with the line number, and voila. He also offers a perl answer if the sed will not work.

Sparhawk
  • 6,929
Mark G B
  • 71
  • 5
1

To remove the offending entry is this

sed -i '/<ipaddr|hostname>/d' ~/.ssh/known_hosts

I cobbled together the below scipt. Just save it as ~/.rmhost

#!/bin/bash

rmhost_help()
{
        echo "Usage rmhost {ipaddr|hostname}"
        echo "          -h      Print this help message"
        exit 0
}
if [ -z $1 ] || [ $1 == "-h" ]; then rmhost_help


fi


sed -i "/$1/d" ~/.ssh/known_hosts


echo "host $1 removed"
exit 0

Then put this alias in ~/.bashrc

alias rmhost=~/.rmhost

When you get the error just type in 'rmhost {ipaddr|hostname}'

mickwombat
  • 11
0

You can avoid removing the particular host by updating it:

ssh-keyscan -t ecdsa hostname >> ~/.ssh/known_hosts

This way you don't have to connect again to the host.

Pablo Bianchi
  • 15,657
0

If you are getting fingerprint option while adding rsa token use that. Once you choose fingerprint option it will add the host name of the stash repo to the known_host

Gampesh
  • 101
0
sed '/10\.20\.120\.211/d' ~/.ssh/known_hosts > temp && mv temp ~/.ssh/known_hosts

In this case, 10.20.120.211 is the host I want to delete from my known_hosts file, make sure you escape the special characters like (.)

Shan Valleru
  • 301
  • 2
  • 5
  • IP addresses & hostnames are no longer stored verbatim (clear text) in the known hosts file, so this won't work. One should either use ssh-keygen -R ... (preferably); or, sed with the specific line number to delete. Also, to sed in-place, use -i' option; e.g.,sed -i.bak 10d ~/.ssh/known_hoststo delete the 10th line, and (optionally) keep the original in a backup file suffixed by.bak`. – michael Sep 20 '16 at 09:18