This error occurs when SSH cannot verify the remote server's identity because its host key is missing from or mismatched in your known_hosts file. The fix typically involves adding the server's host key to your SSH configuration.
When you connect to a Git remote server via SSH (like GitHub, GitLab, or Bitbucket), your SSH client checks the server's identity against a list of known hosts stored in the `~/.ssh/known_hosts` file. This security feature helps prevent man-in-the-middle attacks by ensuring you're connecting to the legitimate server. The "Host key verification failed" error appears when: 1. You're connecting to the server for the first time and the host key hasn't been added yet 2. The server's host key has changed (which could indicate a legitimate server update or a potential security threat) 3. The known_hosts file is missing, corrupted, or has incorrect permissions 4. You're running in an automated environment (CI/CD) where there's no interactive prompt to accept the key This is a security-first design - SSH refuses to connect rather than risk connecting to an impersonated server.
First, test the SSH connection to identify the exact problem:
ssh -T [email protected]
# Or for other hosts:
ssh -T [email protected]
ssh -T [email protected]You should see either a prompt to accept the key, the verification error, or a success message.
If prompted "Are you sure you want to continue connecting (yes/no)?" type yes and press Enter. Simply pressing Enter without typing yes will not add the key.
ssh -T [email protected]
# The authenticity of host 'github.com (...)' can't be established.
# ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
# Are you sure you want to continue connecting (yes/no/[fingerprint])? yesVerify the fingerprint matches the official one published by your Git hosting provider before accepting.
For automated environments or if you want to add the key non-interactively:
# For GitHub
ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
# For GitLab
ssh-keyscan -t ed25519 gitlab.com >> ~/.ssh/known_hosts
# For Bitbucket
ssh-keyscan -t ed25519 bitbucket.org >> ~/.ssh/known_hostsThis fetches and appends the server's current public key to your known_hosts file.
If the server's key has changed (after a legitimate key rotation), remove the old entry first:
# Remove the old key
ssh-keygen -R github.com
# Add the new key
ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts
# Test the connection
ssh -T [email protected]Only do this if you've verified the key change is legitimate (check official announcements from your Git hosting provider).
SSH requires specific permissions to trust its configuration files:
# Set correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/known_hosts
chmod 600 ~/.ssh/config
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/*.pub
# Verify ownership
ls -la ~/.sshThe .ssh directory should only be readable by you. Incorrect permissions cause SSH to ignore the known_hosts file.
If you can't resolve the SSH issue immediately, switch to HTTPS:
# Clone using HTTPS instead
git clone https://github.com/user/repo.git
# Change existing remote from SSH to HTTPS
git remote set-url origin https://github.com/user/repo.git
# Verify the change
git remote -vHTTPS uses different authentication (username/password or personal access token) and doesn't require SSH host key verification.
### CI/CD Environments
For automated pipelines, add host keys in your CI configuration:
GitHub Actions:
- name: Add SSH known hosts
run: |
mkdir -p ~/.ssh
ssh-keyscan github.com >> ~/.ssh/known_hostsGitLab CI:
before_script:
- mkdir -p ~/.ssh
- ssh-keyscan gitlab.com >> ~/.ssh/known_hostsJenkins:
Go to Manage Jenkins > Configure Global Security > Git Host Key Verification Configuration, and set the strategy appropriately.
### GitHub Key Rotation (March 2023)
GitHub rotated their RSA SSH host key on March 24, 2023. If you're seeing this error after that date with GitHub, you likely need to update your known_hosts file. GitHub published their new keys at https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
### Security Considerations
Never use StrictHostKeyChecking=no in production or on shared systems. While this bypasses the error, it completely disables host key verification and exposes you to man-in-the-middle attacks:
# DON'T do this in production!
ssh -o StrictHostKeyChecking=no [email protected]Instead, always verify host keys against official sources:
- GitHub: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
- GitLab: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
### Multiple Hosts with Same IP
If you have multiple git servers behind a load balancer or using the same IP, you may need to handle hostname aliasing in ~/.ssh/config:
Host github-work
HostName github.com
User git
IdentityFile ~/.ssh/id_workkex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git