SSH Connection Error “Host key verification failed”

This tutorial guides you on how to resolve SSH Connection Error “Host key verification failed” problem. Let’s use standard ubuntu docker image for our analysis.

SSH Connection Error “Host key verification failed”

In the below example, I have used standard ubuntu docker image and made the required changes for SSH service connection i.e., setup an SSHd service in a container and created an copy image called “sneppets/ubuntu_sshd_example” as shown.

Then I tried to run SSHd daemon using the docker run command. And used docker ps to check what host port the container’s port 22 is mapped to (here it’s 2222).

//STEP 1: Setup SSHd service and create snapshot "sneppets/ubuntu_sshd_example"
$ docker images
REPOSITORY                         TAG                 IMAGE ID            CREATED             SIZE
ubuntu                             latest              1e4467b07108        10 days ago         73.9MB
sneppets/ubuntu_sshd_example       latest              0a21dffc24ce        3 months ago        208MB

//STEP 2: run SSHd daemon using the docker run command
$ docker run -d -p 2222:22 sneppets/ubuntu_sshd_example /usr/sbin/sshd -D
b7d215f2cc8102bb60bf44812f594fdc19cb3700ba7e686d2f7de2552b64050e

//STEP 3: Check what port 
$ docker ps -a
CONTAINER ID        IMAGE                              COMMAND               CREATED             STATUS                       PORTS                  NAMES
b7d215f2cc81        sneppets/ubuntu_sshd_example       "/usr/sbin/sshd -D"   3 seconds ago       Up 2 seconds                 0.0.0.0:2222->22/tcp   blissful_thompson
35ba71c25abd        ubuntu                             "bash"                2 minutes ago       Exited (127) 2 minutes ago                          nervous_swartz

Finally, tried SSH as admin user (Note: While setting up SSHd service I have added user “admin” and setup permissions for this user) on the localhost or container’s IP address on port 2222 and it resulted in SSH connection error ‘Host key verification failed‘ as shown below.

$ ssh admin@localhost -p 2222
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:MbQCWSQo+MSCL1G0YZqCYlryZv0cyWUNWFaV/swTgKQ.
Please contact your system administrator.
Add correct host key in /home/sneppets/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/sneppets/.ssh/known_hosts:3
  remove with:
  ssh-keygen -f "/home/sneppets/.ssh/known_hosts" -R "[localhost]:2222"
ECDSA host key for [localhost]:2222 has changed and you have requested strict checking.
Host key verification failed.

Solution for ‘Host key verification failed’

When you look at the above logs or error response it is clear that ‘Host key verification failed‘ means that host key of the remote host got changed and it is not correct.

SSHd stores the host keys of the remote hosts in known_hosts. You need to fix the host key in known_hosts to get rid of this error. Just remove the old key using the following suggestion.

  remove with:
  ssh-keygen -f "/home/sneppets/.ssh/known_hosts" -R "[localhost]:2222"

Running the following command has removed the incorrect old host keys found in known_hosts.

$ ssh-keygen -f "/home/nithip2016/.ssh/known_hosts" -R "[localhost]:2222"
# Host [localhost]:2222 found: line 3
/home/nithip2016/.ssh/known_hosts updated.
Original contents retained as /home/nithip2016/.ssh/known_hosts.old

Now, let’s try SSH as admin on the localhost or container’s IP address on port 2222.

$ ssh admin@localhost -p 2222
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:MbQCWSQo+MSCL1G0YZqCYlryZv0cyWUNWFaV/swTgKQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
admin@localhost's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.19.112+ x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Wed Apr  8 14:00:50 2020 from 172.18.0.1
admin@b7d215f2cc81:~$

Error is gone ! Hope it helped ! 🙂

Also See:

• Explore Docker Container’s File System.
• Get Docker Container’s IP Address from the Host.
• Copy Files between Host and Docker Container.
• Remove All Unused and Dangling Docker Images ?
• Difference between CMD and ENTRYPOINT in Dockerfile ?
• Ping inside the docker container from host
• Docker: Error response from daemon: OCI runtime create failed: container_linux.go:349
• List the directories inside the docker container
• Add new user to the Docker container using Dockerfile
• Docker images are storage location
• Clean up Old Stopped Docker Containers
• Unable to acquire the dpkg frontend lock, are you root ?

References:

• docker documentation
• Containers on Compute Engine Google