The authenticity of host can't be established - Not new machine or SSH key

Posted September 27, 2019 13.8k views
Linux BasicsSecurityDigitalOcean

Hi folks, I am getting a “The authenticity of host can’t be established” error when I try to ssh into my droplet. I'be searched and found answers saying that this is standard for NEW machines, but I have been logging into this droplet, at this ip address, from this same desktop, using this ssh key, for several months. So I’m curious what this means that this is happening now, whether I should be concerned about security here, and what I should do to get connected again.

To my knowledge, I haven’t made any changes to the droplet or to my ssh setup in between this change occurring.

Here is the exact output, anonymised slightly.

The authenticity of host 'my_ip_address (my_ip_address)' can't be established.
ECDSA key fingerprint is SHA256:string_of_letters_and_numbers.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

So this is for any other person having the same issue.
It’s quite straightforward:

When this prompt is returned, it’s simply saying it doesn’t recognise this ip address i.e. it’s not part of your known_host.

Copy the key provided here
ECDSA key fingerprint is SHA256:stringoflettersandnumbers.

And paste it where it’s asking for yes or no or fingerprint
Are you sure you want to continue connecting (yes/no/[fingerprint])? SHA256:stringoflettersandnumbers.

And hit enter. This will add the ip address to known_host then you can ssh into it, with cmd or bash or vscode remote ssh functionality

Hello, @alex11

Can you check if the ssh key is not changed in the Digital Ocean control panel by any chance?

If you’re seeing this message, then either the server has been reconfigured with a new key, or someone is spoofing the server’s identity. Due to the seriousness of a man-in-the-middle attack, it’s warning you about the possibility.

Let me know how it goes.

Hi @ageorgiev - thanks for the info -

The ssh key doesn’t seem to be changed in the DigitalOcean control panel afaict - I found two public keys, with names I remember uploading, in the Security panel of my Account section in the control panel. The fingerprints of those public keys match the fingerprints of the keys on my machine I’m trying to connect from.

In the message I quoted above, when it gives me

ECDSA key fingerprint is SHA256:string_of_letters_and_numbers.

the fingerprint given there does not match any of my keys, if that is relevant.

FWIW the “Security History” section on my console only shows logins to the console from my home ip address, going back to when the account was created.

I’m very curious about any thoughts about what I should look at next