All Products
Document Center

:The system prompts "Host key verification failed" when logging on to the ECS instance over SSH

Last Updated:May 20, 2022

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

Problem description

  • When you log on to a Linux instance through SSH, the following error message is displayed, causing the Linux instance to fail to be connected.
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    AE: 6e: 68: 4c: 97: a6: 91: 81: 11: 38: 8d: 64: ff: 92: 13: 50.
    Please contact your system administrator.
    Add correct host key in /root/.ssh/known_hosts to get rid of this message.
    Offending key in /root/.ssh/known_hosts:70
    RSA host key for x. x has changed and you have requested strict checking.
    Host key verification failed.
  • For a Windows client, the following error message is displayed when you connect to a common SSH client.
    X. X (Port: XX) does not match the host key saved in the local host key database. The host key has been changed or someone is trying to listen to the connection. If you are not sure, we recommend that you cancel the connection.


Linux instances have been reinstalled, and their SSH public key has been changed due to account information changes. As a result, the public key fingerprint stored on the client is inconsistent with that on the server. As a result, the SSH authentication fails and logon is denied.


The Linux configurations and descriptions in this article have been tested in the CentOS 6.5 64-bit operating system. The configurations of other operating systems may be different. For more information, see the official documentation of the operating system.

The client runs in Windows.

If the client is in a Windows environment and uses an SSH client Putty To connect to a Windows instance, follow these steps.

  1. Start Putty.
  2. On the logon page, click Delete To delete the logon session. 
  3. Log on to the instance again with the username and password and confirm that the new public key fingerprint is saved.
    Note: You can also click Receive and save To allow the program to automatically update the key fingerprint information, you can successfully log on to the instance.

The client runs in Linux.

If the client runs in Linux, follow these steps.

  1. Run the following command to access the external_hosts file of the corresponding account.
    vi ~/.ssh/known_hosts
  2. Press the i key to enter the editing mode.
  3. Delete the entry corresponding to the Linux instance IP, as shown in the following figure.
  4. Enter :wq, save and exit.
  5. Reconnect to the Linux instance and confirm that the new public key fingerprint is saved before you can log on.


The public key is usually long and takes up to 1024 bits by using the RSA algorithm. To simplify the process, a 128-bit string is generated by calculating the MD5 value of the public key for information comparison, which is called the public key fingerprint.


If the problem persists, refer to the following documents for further troubleshooting and analysis.

Application scope

  • ECS