SSH

How to Fix SSH Host Key Verification Failed

Resolve SSH host key verification failures safely by checking whether a server was rebuilt, its address changed, or the connection may be intercepted.

Updated 2026-07-122 min read

SSH stores a fingerprint for each server in known_hosts. A verification failure means the current server key does not match the saved identity, or SSH cannot validate a new host under the active policy.

Do not immediately delete known_hosts. A changed key can be expected after a rebuild, but it can also indicate DNS manipulation or a man-in-the-middle attack.

Read the exact warning

Reconnect with verbose logging:

ssh -vvv user@example.com

Note the hostname, resolved IP address, key algorithm, fingerprint, and offending known_hosts line shown in the warning.

Verify the new fingerprint

Use a trusted path such as the cloud console, physical console, or your infrastructure inventory. On the server:

sudo ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub

Compare that fingerprint with the one shown by your SSH client. Do not verify it through the same potentially compromised SSH connection.

Remove only the obsolete entry

After independently confirming the new key, remove the specific host entry:

ssh-keygen -R example.com
ssh-keygen -R 203.0.113.10

If the server uses a custom port:

ssh-keygen -R '[example.com]:2222'

Reconnect and verify the displayed fingerprint before accepting it.

Check aliases and reused addresses

The same server may be saved under a hostname, IP address, SSH alias, or jump-host route. Conversely, a recycled cloud IP may now belong to a different machine. Inspect the effective configuration:

ssh -G example.com | grep -E '^(hostname|port|proxyjump|user) '

Diagnose it with Rumus

AI-native terminal Commands require your approval
Why use Rumus for this diagnosis?

Rumus is an AI-native terminal that connects to your real SSH hosts and understands the active connection context. It can inspect SSH configuration, identities, network paths, and server logs instead of guessing from an isolated chat.

What Rumus can inspect

  • SSH config, keys, and effective connection settings
  • Jump hosts, proxies, ports, and network reachability
  • Server authentication logs and file permissions
Download Rumus

Ask Rumus to gather evidence without accepting a new key automatically:

Investigate this SSH host key verification failure. Show the effective host,
resolved IP, saved known_hosts entries, and presented fingerprint. Do not remove
or replace any key until I confirm the server fingerprint through a trusted path.

Confirm the fix

After the verified key is stored, reconnect:

ssh user@example.com

The warning should disappear. Keep strict host key checking enabled; disabling it globally removes an important SSH security guarantee.

Diagnose the real environment

Open the server in Rumus and let the AI agent inspect context, propose a plan, and ask before it runs changes.

Download Rumus