LAPIS

remove-ssh-host-key-windows

3 min read

How to remove an SSH host key from known_hosts (Windows)

If you see this error when connecting via SSH:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Host key for [host]:port has changed and you have requested strict checking.
Offending key in C:\Users\<you>\.ssh\known_hosts:<line>

it means the saved host key in your known_hosts file no longer matches the server. This can be benign (server rebuilt) or dangerous (man‑in‑the‑middle). Verify the new fingerprint with your administrator before trusting it.

Quick fix

  • Remove the old key for a host with custom port (note the brackets):
    • PowerShell:
      • ssh-keygen -R "[HOST]:PORT"
      • Example: ssh-keygen -R "[162.128.177.45]:30952"
  • Verify it’s gone:
    • ssh-keygen -F "[HOST]:PORT"
  • Retry your SSH connection; you’ll be prompted to trust the new host key.

Full steps (PowerShell)

  1. Identify your known_hosts file
  • User file: %USERPROFILE%\.ssh\known_hosts (e.g., C:\Users\Andre\.ssh\known_hosts)
  • System file (rarely used): C:\ProgramData\ssh\ssh_known_hosts
  1. Remove all variants for the target
  • By host:port (most common when a non‑default port is used):
    • ssh-keygen -R "[HOST]:PORT"
  • Also remove unbracketed host (just in case):
    • ssh-keygen -R HOST
  • If you previously connected using an SSH alias (like myserver), remove that too:
    • ssh-keygen -R myserver
  1. Verify removal
  • ssh-keygen -F "[HOST]:PORT"
  • ssh-keygen -F HOST
  • ssh-keygen -F myserver
  1. Optionally pre‑add the correct key (non‑interactive flows)
  • After you verify the fingerprint out‑of‑band, you can pre‑add it:
    • ssh-keyscan -p PORT HOST | Out-File -Append -Encoding ascii $env:USERPROFILE\.ssh\known_hosts
    • Example: ssh-keyscan -p 30952 162.128.177.45 | Out-File -Append -Encoding ascii $env:USERPROFILE\.ssh\known_hosts
  • For custom ports, OpenSSH expects the bracketed form in known_hosts. If ssh-keyscan outputs HOST …, rewrite the first field to [HOST]:PORT before appending, or just let the first successful connection add it.
  1. Manual edit (alternative)
  • Open the file and delete the offending line reported by SSH:
    • notepad $env:USERPROFILE\.ssh\known_hosts
  • Save and reconnect.

Aliases, jump hosts, and custom files

  • SSH alias names: If you connect using an alias from ~/.ssh/config, OpenSSH may save the alias as the first field in known_hosts. Remove both the alias and the real host:port.
  • ProxyJump / bastion: If you use a jump host (e.g., ProxyJump bastion), you might also need to clear the bastion’s key: ssh-keygen -R bastion and/or ssh-keygen -R BASTION_IP.
  • Custom known_hosts path: A tool can override the path via UserKnownHostsFile. Check ~/.ssh/config and the tool’s settings; remove or update the key in that file if it differs from the default.

Troubleshooting

  • Confirm the port is reachable:
    • Test-NetConnection HOST -Port PORT
  • Show the server’s current ED25519 fingerprint (for comparison only—verify out‑of‑band):
    • ssh-keyscan -p PORT -t ed25519 HOST | ssh-keygen -l -E sha256 -f -
  • If ssh-keyscan returns nothing, the server or firewall might be blocking probes; try connecting normally and accept the prompt after verifying the fingerprint with your admin.

Copy‑paste examples

  • Remove old keys and verify:
ssh-keygen -R "[162.128.177.45]:30952"
ssh-keygen -F "[162.128.177.45]:30952"
  • Pre‑add (after verifying the fingerprint):
ssh-keyscan -p 30952 162.128.177.45 | Out-File -Append -Encoding ascii $env:USERPROFILE\.ssh\known_hosts