{"id":16156,"date":"2024-11-12T14:27:22","date_gmt":"2024-11-12T19:27:22","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?p=16156"},"modified":"2026-06-10T16:17:10","modified_gmt":"2026-06-10T20:17:10","slug":"ssh-key-exchange-errors","status":"publish","type":"post","link":"https:\/\/carleton.ca\/scs\/2024\/ssh-key-exchange-errors\/","title":{"rendered":"SSH Key Exchange Errors"},"content":{"rendered":"\n<section class=\"w-screen px-6 cu-section cu-section--white ml-offset-center md:px-8 lg:px-14\">\n    <div class=\"space-y-6 cu-max-w-child-5xl  md:space-y-10 cu-prose-first-last\">\n\n            <div class=\"cu-textmedia flex flex-col lg:flex-row mx-auto gap-6 md:gap-10 my-6 md:my-12 first:mt-0 max-w-5xl\">\n        <div class=\"justify-start cu-textmedia-content cu-prose-first-last\" style=\"flex: 0 0 100%;\">\n            <header class=\"font-light prose-xl cu-pageheader md:prose-2xl cu-component-updated cu-prose-first-last\">\n                                    <h1 class=\"cu-prose-first-last font-semibold !mt-2 mb-4 md:mb-6 relative after:absolute after:h-px after:bottom-0 after:bg-cu-red after:left-px text-3xl md:text-4xl lg:text-5xl lg:leading-[3.5rem] pb-5 after:w-10 text-cu-black-700 not-prose\">\n                        SSH Key Exchange Errors\n                    <\/h1>\n                \n                                \n                            <\/header>\n\n                    <\/div>\n\n            <\/div>\n\n    <\/div>\n<\/section>\n\n\n\n<p>Annually the SCS Linux Network hosts are upgraded, and the ssh-keys will no longer match. If you know that the server has been upgraded and your ssh-keys no longer match, then it will be safe to accept the new ssh key. <em>Your system administrator will be able to confirm if this is due to a legitimate server upgrade or if it is a &#8216;man in the middle attack&#8217;.<\/em><\/p>\n\n\n\n<section class=\"w-screen px-6 cu-section cu-section--white ml-offset-center md:px-8 lg:px-14\">\n    <div class=\"space-y-6 cu-max-w-child-5xl  md:space-y-10 cu-prose-first-last\">\n\n        \n    \n    <dl class=\"cu-description cu-component-updated\">\n        \n    <div class=\"grid pt-4 pb-3 border-b accordion border-cu-black-100 md:pt-6 md:pb-5 first:border-t\">\n        <dt class=\"font-semibold not-prose\">\n            <button class=\"flex items-center justify-between w-full text-left accordion__button\" aria-expanded=\"false\" aria-controls=\"accordion-putty-key-exchange-error\">\n                <span class=\"flex-1 ml-auto text-left break-words whitespace-normal cu-icon\">\n                    Putty Key Exchange Error\n                <\/span>\n                <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" fill=\"none\" viewbox=\"0 0 24 24\" stroke-width=\"1.5\" stroke=\"currentColor\" aria-hidden=\"true\" data-slot=\"icon\" class=\"w-5 h-5 ml-auto transition-transform rotate-0 accordion__icon text-cu-black-500\">\n                    <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M8.25 4.5l7.5 7.5-7.5 7.5\"><\/path>\n                <\/svg>\n            <\/button>\n        <\/dt>\n        <dd class=\"p-0 mt-0 cu-prose cu-prose-first-last accordion__content md:p-0 md:mt-0\" hidden=\"\" id=\"accordion-putty-key-exchange-error\">\n            \n\n<p>Putty key exchange error<br>The windows Putty-ssh error will look like this:<\/p>\n\n\n        <\/dd>\n    <\/div>\n\n\n    <div class=\"grid pt-4 pb-3 border-b accordion border-cu-black-100 md:pt-6 md:pb-5 first:border-t\">\n        <dt class=\"font-semibold not-prose\">\n            <button class=\"flex items-center justify-between w-full text-left accordion__button\" aria-expanded=\"false\" aria-controls=\"accordion-x2g0-key-exchange-error\">\n                <span class=\"flex-1 ml-auto text-left break-words whitespace-normal cu-icon\">\n                    x2g0 Key Exchange Error\n                <\/span>\n                <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" fill=\"none\" viewbox=\"0 0 24 24\" stroke-width=\"1.5\" stroke=\"currentColor\" aria-hidden=\"true\" data-slot=\"icon\" class=\"w-5 h-5 ml-auto transition-transform rotate-0 accordion__icon text-cu-black-500\">\n                    <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M8.25 4.5l7.5 7.5-7.5 7.5\"><\/path>\n                <\/svg>\n            <\/button>\n        <\/dt>\n        <dd class=\"p-0 mt-0 cu-prose cu-prose-first-last accordion__content md:p-0 md:mt-0\" hidden=\"\" id=\"accordion-x2g0-key-exchange-error\">\n            \n\n<p>x2go key exchange error<br>If you attempt to connect via x2go, the key exchange error will be as follows:<\/p>\n\n\n        <\/dd>\n    <\/div>\n\n\n    <\/dl>\n\n\n    <\/div>\n<\/section>\n\n\n\n<h2 id=\"linux-host-identification-has-changed-error\" class=\"wp-block-heading\"><a id=\"key-exchange-errors-linux\"><\/a>Linux: Host Identification has changed ERROR<\/h2>\n\n\n\n<p>In Linux, when a host has changed, it can generate the &#8216;host identification error&#8217; and the entry can be updated as follows:<br>\n<code>ssh-keygen -R &lt;user&gt;@&lt;hostname&gt;<\/code><br>\nWhere &lt;user&gt; is your username and &lt;hostname&gt; is your destination hostname.<\/p>\n\n\n\n<section class=\"w-screen px-6 cu-section cu-section--white ml-offset-center md:px-8 lg:px-14\">\n    <div class=\"space-y-6 cu-max-w-child-5xl  md:space-y-10 cu-prose-first-last\">\n\n        \n    \n    <dl class=\"cu-description cu-component-updated\">\n        \n    <div class=\"grid pt-4 pb-3 border-b accordion border-cu-black-100 md:pt-6 md:pb-5 first:border-t\">\n        <dt class=\"font-semibold not-prose\">\n            <button class=\"flex items-center justify-between w-full text-left accordion__button\" aria-expanded=\"false\" aria-controls=\"accordion-host-identification-changed-error-example\">\n                <span class=\"flex-1 ml-auto text-left break-words whitespace-normal cu-icon\">\n                    Host Identification Changed Error &#8211; Example\n                <\/span>\n                <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" fill=\"none\" viewbox=\"0 0 24 24\" stroke-width=\"1.5\" stroke=\"currentColor\" aria-hidden=\"true\" data-slot=\"icon\" class=\"w-5 h-5 ml-auto transition-transform rotate-0 accordion__icon text-cu-black-500\">\n                    <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M8.25 4.5l7.5 7.5-7.5 7.5\"><\/path>\n                <\/svg>\n            <\/button>\n        <\/dt>\n        <dd class=\"p-0 mt-0 cu-prose cu-prose-first-last accordion__content md:p-0 md:mt-0\" hidden=\"\" id=\"accordion-host-identification-changed-error-example\">\n            \n\n<p><strong>Example<\/strong>: <strong>Updating the host identification<\/strong><br>Here &lt;user&gt; <em>johndoe<\/em> is trying to connect to &lt;hostname&gt; <em>vmicron02<\/em>:<br><strong>First johndoe gets this error:<\/strong><br><code>[johndoe@access3 ~]$ ssh vmicron02<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>The ECDSA host key for vmicron02 has changed,<br>and the key for the corresponding IP address 134.117.xxx.xxx<br>is unchanged. This could either mean that<br>DNS SPOOFING is happening or the IP address for the host<br>and its host key have changed at the same time.<br>Offending key for IP in \/home\/johndoe\/.ssh\/known_hosts:27<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!<br>Someone could be eavesdropping on you right now (man-in-the-middle attack)!<br>It is also possible that a host key has just been changed.<br>The fingerprint for the ECDSA key sent by the remote host is<br>SHA256:tw38tTL+JOMbEAR4Mer0ZA\/gPYp4sIcXq5KWoS8n4.<br>Please contact your system administrator.<br>Add correct host key in \/home\/johndoe\/.ssh\/known_hosts to get rid of this message.<br>Offending RSA key in \/home\/johndoe\/.ssh\/known_hosts:15<br>ECDSA host key for vmicron02 has changed and you have requested strict checking.<br>Host key verification failed.<br><\/code><br><strong>johndoe fixes the error by removing the hosts from the known_hosts file:<\/strong><br><code>[johndoe@access3 ~]$ ssh-keygen -R vmicron02<br># Host vmicron02 found: line 13<br># Host vmicron02 found: line 15<br>\/home\/johndoe\/.ssh\/known_hosts updated.<br>Original contents retained as \/home\/johndoe\/.ssh\/known_hosts.old<br><\/code><br><strong>johndoe next attempt to ssh should succeed (once they agree to add the <em>new<\/em> server to the known_hosts file):<\/strong><br><code>[johndoe@access3 ~]$ ssh vmicron02<br>The authenticity of host 'vmicron02 (134.117.xxx.xxx)' can't be established.<br>ECDSA key fingerprint is SHA256:tw38tTL+JOMMEAR4Mer0ZA\/gPYNp4sIcXq5KWS8n4.<br>ECDSA key fingerprint is MD5:a0:4:2c:43:a8:20:f:a1:d4:52:d1:52:11:e0:f5:e6.<br>Are you sure you want to continue connecting (yes\/no)? yes<br>Warning: Permanently added 'vmicron02' (ECDSA) to the list of known hosts.<br>johndoe@vmicron02's password:<br>Welcome to Ubuntu 20.04.1 LTS (GNU\/Linux 5.4.0-42-generic x86_64)<br>School of Computer Science<br>_____ _<br>\/ ___ \\ (_) www.scs.carleton.ca<br>| | | |____ _ ____ ____ ___ ____<br>| | | | \\| |\/ ___)\/ ___) _ \\| _ \\<br>| |___| | | | | ( (___| | | |_| | | | |<br>\\_____\/|_|_|_|_|\\____)_| \\___\/|_| |_|<br>L i n u x N e t w o r k<\/code><\/p>\n\n\n        <\/dd>\n    <\/div>\n\n\n    <\/dl>\n\n\n    <\/div>\n<\/section>\n\n\n\n<h2 id=\"no-matching-key-exchange-method-found-error\" class=\"wp-block-heading\"><a id=\"no-match\"><\/a>No matching key exchange method found ERROR<\/h2>\n\n\n\n<p>Some ssh clients may complain about: \u201c<strong>Unable to negotiate with 134.117.xxx.xxx port 22: no matching key exchange method found.\u201d&nbsp;<\/strong><\/p>\n\n\n\n<p>This is due to the destination server running an old ssh-cypher. Be aware that this may be an insecure connection as the cypher itself is no longer secure. You can try connecting as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -oKexAlgorithms=+diffie-hellman-group1-sha1<\/code><\/pre>\n\n\n\n<p>You may want to contact the system administrator to inform them of the outdated ssh-server.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Annually the SCS Linux Network hosts are upgraded, and the ssh-keys will no longer match. If you know that the server has been upgraded and your ssh-keys no longer match, then it will be safe to accept the new ssh key. Your system administrator will be able to confirm if this is due to a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[99],"tags":[],"class_list":["post-16156","post","type-post","status-publish","format-standard","hentry","category-ssh"],"acf":{"cu_post_thumbnail":""},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/posts\/16156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=16156"}],"version-history":[{"count":2,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/posts\/16156\/revisions"}],"predecessor-version":[{"id":24778,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/posts\/16156\/revisions\/24778"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=16156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/categories?post=16156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/tags?post=16156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}