This error occurs when SSH detects a mismatch between the host key stored locally and the key presented by the remote server. It typically happens after server reinstallation, key rotation, or network configuration changes. You can fix this by removing the old key from your known_hosts file.
SSH uses host key verification to ensure you're connecting to the intended server and not being victim to a man-in-the-middle attack. When SSH detects that the host key doesn't match what's stored in your ~/.ssh/known_hosts file, it refuses the connection and warns you about the change. This is a security feature designed to protect you from impersonation attacks, but it can also occur legitimately when a server is reinstalled, upgraded, or its SSH keys are regenerated.
Before proceeding, contact your server administrator or check internal documentation to confirm that the host key change is expected. If you didn't authorize the change and don't have a good reason for it, do not continue—this could indicate a security breach.
Use the ssh-keygen command to remove the old key for the affected server. Replace 'hostname' or '192.168.1.100' with your actual hostname or IP address:
ssh-keygen -R hostname
# or
ssh-keygen -R 192.168.1.100This command removes all keys belonging to that hostname from your ~/.ssh/known_hosts file. It works even if the entries are hashed for privacy.
Try connecting to the server again using your normal SSH command:
ssh user@hostnameSSH will now prompt you about the new host key fingerprint.
When prompted with a message like "Are you sure you want to continue connecting?", carefully review the host key fingerprint if you have a way to verify it, then type 'yes' and press Enter. This adds the new key to your known_hosts file and allows the connection to proceed.
After accepting the new key, you should be able to log in successfully. Test a few SSH operations to ensure everything is working correctly:
ssh user@hostname 'echo Connection successful'If you have a hashed known_hosts file (entries appear as '|1|...' instead of plain hostnames), ssh-keygen -R still works correctly. For CI/CD pipelines or automated deployments, you may need to handle this error by disabling strict host key checking temporarily with ssh -o StrictHostKeyChecking=accept-new, but use caution and verify the server change first. Some organizations use SSH fingerprint verification tools or scripts to validate key changes before accepting them automatically. For servers behind load balancers or with dynamic IP addresses, consider using SSH jump hosts or bastion servers with stable keys instead.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH