This warning appears when SSH detects that a remote server's host key has changed since you last connected to it. The offending key is stored in your known_hosts file, and SSH refuses to connect until you remove or update the old key entry.
SSH maintains a file (~/.ssh/known_hosts) that stores the public host keys of servers you've connected to. This prevents man-in-the-middle attacks by verifying that the server you're connecting to is the same one you previously trusted. When the warning "Offending RSA key in known_hosts" appears, it means the server's current host key doesn't match what's stored in your known_hosts file. This typically happens because the server was reinstalled, SSH was upgraded on the server, the host key was manually regenerated, or you're connecting to a different server on the same IP address. SSH refuses to connect automatically and requires you to remove the old key before proceeding.
Before removing any keys, confirm that the server actually changed. Contact your system administrator or check your deployment logs if you deployed a new server instance. This prevents accepting keys from a compromised server during a man-in-the-middle attack.
If you just rebuilt the server yourself, this is expected behavior and safe to proceed.
Use the ssh-keygen -R command to automatically remove the old key from your known_hosts file:
ssh-keygen -R hostname.example.comOr if using an IP address:
ssh-keygen -R 192.168.1.100The removed key is automatically backed up to ~/.ssh/known_hosts.old for safety. This command removes all entries for that hostname or IP from known_hosts.
If you prefer to manually edit the file, open it with your editor:
nano ~/.ssh/known_hostsFind the line number mentioned in the error message and delete it. For example, if the error says "line 15", delete line 15. Save and exit.
Alternatively, use sed to remove a specific line number (replace 15 with your line number):
sed -i '15d' ~/.ssh/known_hostsTry connecting again using SSH:
SSH will now ask you to verify and accept the new host key. Carefully examine the fingerprint shown and confirm it matches what you expect (consult your server provider or administrator if unsure). Type 'yes' to accept and add the new key to known_hosts.
The output will show:
The authenticity of host 'hostname.example.com' can't be established.
ED25519 key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no/[fingerprint])?After accepting the new key, confirm it's in your known_hosts file:
cat ~/.ssh/known_hosts | grep hostname.example.comYou should see one line with the new key. If you see multiple entries for the same host, use ssh-keygen -R again and reconnect to clean it up.
You can also inspect the key fingerprint at any time with:
ssh-keygen -l -f ~/.ssh/known_hosts -F hostname.example.comAdvanced troubleshooting:
Clearing all known_hosts: If you have many servers and want to start fresh, you can remove the entire file (not recommended for production):
rm ~/.ssh/known_hostsYou'll be prompted to accept keys for each server on next connection.
Automated deployment scenarios: In CI/CD pipelines or scripts, use the -o StrictHostKeyChecking=accept-new option to automatically accept new keys without user interaction:
ssh -o StrictHostKeyChecking=accept-new [email protected]This is safe only if you control the server and network.
Finding multiple entries for the same host: Sometimes known_hosts contains both hostname and IP entries for the same server. Remove both:
ssh-keygen -R hostname.example.com
ssh-keygen -R 192.168.1.100SSH key algorithms: Older SSH servers may use RSA-only keys, while newer systems prefer ED25519 or ECDSA. If connecting to legacy systems, make sure your SSH client supports RSA keys (some newer systems disabled RSA by default).
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH