How to Fix SSH Host Key Verification Failed
Resolve SSH host key verification failures safely by checking whether a server was rebuilt, its address changed, or the connection may be intercepted.
SSH stores a fingerprint for each server in known_hosts. A verification failure means the current server key does not match the saved identity, or SSH cannot validate a new host under the active policy.
Do not immediately delete known_hosts. A changed key can be expected after a rebuild, but it can also indicate DNS manipulation or a man-in-the-middle attack.
Read the exact warning
Reconnect with verbose logging:
ssh -vvv user@example.com
Note the hostname, resolved IP address, key algorithm, fingerprint, and offending known_hosts line shown in the warning.
Verify the new fingerprint
Use a trusted path such as the cloud console, physical console, or your infrastructure inventory. On the server:
sudo ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
Compare that fingerprint with the one shown by your SSH client. Do not verify it through the same potentially compromised SSH connection.
Remove only the obsolete entry
After independently confirming the new key, remove the specific host entry:
ssh-keygen -R example.com
ssh-keygen -R 203.0.113.10
If the server uses a custom port:
ssh-keygen -R '[example.com]:2222'
Reconnect and verify the displayed fingerprint before accepting it.
Check aliases and reused addresses
The same server may be saved under a hostname, IP address, SSH alias, or jump-host route. Conversely, a recycled cloud IP may now belong to a different machine. Inspect the effective configuration:
ssh -G example.com | grep -E '^(hostname|port|proxyjump|user) '
Diagnose it with Rumus
Rumus is an AI-native terminal that connects to your real SSH hosts and understands the active connection context. It can inspect SSH configuration, identities, network paths, and server logs instead of guessing from an isolated chat.
What Rumus can inspect
- SSH config, keys, and effective connection settings
- Jump hosts, proxies, ports, and network reachability
- Server authentication logs and file permissions
Ask Rumus to gather evidence without accepting a new key automatically:
Investigate this SSH host key verification failure. Show the effective host,
resolved IP, saved known_hosts entries, and presented fingerprint. Do not remove
or replace any key until I confirm the server fingerprint through a trusted path.
Confirm the fix
After the verified key is stored, reconnect:
ssh user@example.com
The warning should disappear. Keep strict host key checking enabled; disabling it globally removes an important SSH security guarantee.
Open the server in Rumus and let the AI agent inspect context, propose a plan, and ask before it runs changes.