|Description||This article describes how to troubleshoot the SSH 'REMOTE HOST IDENTIFICATION HAS CHANGED' error.|
SSH into the server from the client prompts 'REMOTE HOST IDENTIFICATION HAS CHANGED' every hour as below:
[user@hostname ~]$ ssh root@fortinet
WAD debugs on the FortiGate would show the keys as untrusted which results in an error being prompted every hour:
[I]2023-07-25 16:52:06.700628 [p:15623][s:2235956574] wad_ssh_auth_proxy_validate_hostkey:1475 Server host key: ECDSA fingerprint: SHA256:NHgtRHJtwmAnEHZyDdhcHBdk9SGLhpjskaIuS7tOP/8
Clearing the known hosts' files will resolve the issue. However, it is necessary to add the server as a trusted host on FortiGate and import the hostkey.
As an illustration, LinuxMint is used as a server, and the below step shows how to check the key on the server:
config firewall ssh host-key
Now to update the fingerprint, clear the known host file on the client and initiate SSH to the server.
Post changes wad debugs would show the keys as trusted:
[I]2023-07-28 11:53:57.829723 [p:15623][s:2278497196] wad_ssh_stream_set_hostkey_status :887 c2p hostkey trusted, pass