How to Fix GitHub's "Remote Host Identification Has Changed" Issue in March 2023 For The Impatient
GitHub changed their RSA SSH Key - here's what to do
If you’re like me where sometimes you need to run commands manually to pull code from your Github repositories, you may see notices about GitHub RSA SSH keys in the command prompt recently.
This post will show you the two commands I used to resolve this issue. There will be no explanation in depth as I assume you just want to resolve it and move on with your life. Because we all got more important stuff to do.
Detailed explanations are available at the links I provide at the end for the curious and the time-rich.
⚠️ Important caveat ⚠️
I only tested this on Ubuntu OS. You may have to adapt the second command based on your OS. Another key assumption is that you know how to install the package jq
for the second command to work.
First Error: Remote Host Identification Has Changed!
When you attempt a git fetch
or git pull
from your Github repositories, you are likely to encounter this error message in your command line.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /var/www/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/www/.ssh/known_hosts:17
remove with: ssh-keygen -f "/var/www/.ssh/known_hosts" -R github.com
RSA host key for github.com has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
The fix for this is straight-forward and is actually provided in the notice itself.
Offending RSA key in /var/www/.ssh/known_hosts:17
remove with: ssh-keygen -f "/var/www/.ssh/known_hosts" -R github.com
So follow accordingly with ssh-keygen -f "/var/www/.ssh/known_hosts" -R github.com
Second Error: The authenticity of host 'github.com' can't be established
When you repeat the same git fetch
or git pull
command, thinking the issue resolved, it comes back in a different way.
The authenticity of host 'github.com (20.205.243.166)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com' (ECDSA) to the list of known hosts.
Warning: the ECDSA host key for 'github.com' differs from the key for the IP address '20.205.243.166'
Offending key for IP in /var/www/.ssh/known_hosts:14
Are you sure you want to continue connecting (yes/no)? yes
Connection closed by 20.205.243.166
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists
Choosing yes
for both questions still doesn’t work.
Here’s what you need to do.
Check you have jq installed and install it if you don’t
Run command that automatically update GitHub.com’s RSA SSH key in your
~/.ssh/known_hosts
Repeat same command that triggered notice
Check you have jq installed and install it if you don’t
Type jq
and if you don’t have it installed, the command prompt should tell you.
$ jq
The program 'jq' is currently not installed. You can install it by typing:
sudo apt-get install jq
Install it if you don’t
Run command to auto update Github’s RSA SSH key in your known_hosts
curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts
Repeat command that triggered notice
$ git pull
Warning: the ECDSA host key for 'github.com' differs from the key for the IP address '20.205.243.166'
Offending key for IP in /var/www/.ssh/known_hosts:14
Matching host key in /var/www/.ssh/known_hosts:22
Are you sure you want to continue connecting (yes/no)? yes
remote: Enumerating objects: 21, done.
remote: Counting objects: 100% (21/21), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 11 (delta 9), reused 11 (delta 9), pack-reused 0
Unpacking objects: 100% (11/11), done.
From github.com:YourUserName/YourRepo
81e3dcf..004c81d main -> origin/main
HEAD is now at 004c81d ✨New feature!
This time, things should work after you replied yes to continue connecting once.
Useful Links
The community discussion where people shared their thoughts on this issue https://github.com/orgs/community/discussions/50878
The Github post that announced the update of the RSA key and included the details about the commands that worked. https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
A useful command when you still face questions about offending keys in your ssh/known_hosts file is to remove at a specific line to use
sed -i '10d' ~/.ssh/known_hosts
where this command removes at the 10th line of ~/.ssh/known_hosts