# ssh: how to remove conflicting host keys for a hostname



## everypot (Jul 2, 2010)

I'm using Freebsd 8. The remote server I try to login often gives me messages about conflicting host keys:

```
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
```

  It seems that the sever are composed of a group of machines. I get connected to one of them each time I login. Since ssh uses a verification procedure involving each system's unique â€œhost keyâ€, the host keys are different each time I try to login. The solution I found is to Manually delete the entry in /.ssh/known_hosts related to this hostname. Is there an automatic way to do this? or is it possible to tell Freebsd not to write the hotkey into known_hosts for this hostname in advance?


----------



## anomie (Jul 2, 2010)

everypot said:
			
		

> It seems that the sever are composed of a group of machines. I get connected to one of them each time I login. Since ssh uses a verification procedure involving each system's unique â€œhost keyâ€, the host keys are different each time I try to login. The solution I found is to Manually delete the entry in /.ssh/known_hosts related to this hostname.



It's not a good idea to actively subvert a built-in security mechanism. (i.e. It is there for a reason.) 

Who maintains the group of servers? It does not sound like they've deployed things correctly. AFAIK, they could resolve the immediate problem by using the same host keys on each server that's in the cluster group you're connecting to. (But I don't know for sure. Depends on implementation.)


----------



## fwaggle (Jul 3, 2010)

I'm with anomie - though there exists a feature to disable this behavior (I thought about posting the configuration option, but it's in the manual, and I'm afraid posting it will only encourage stupidity), it's strongly not recommended and opens you up to all manner of man-in-the-middle attacks.

The fix is deploying the group of ssh daemons to act sanely - either make them share a key, or you ssh into a particular machine by a hostname only it responds to... I'd go with the second option.


----------



## everypot (Jul 6, 2010)

thanks everyone. I asked the server administrator. He said the cluster is indeed composed of several servers. And he gave me the host name of each individual machine.


----------

