The “authenticity of host can’t be established” error typically occurs the first time you attempt to connect to a server via SSH (Secure Shell). However, it may also indicate a serious issue. For example, someone may be impersonating the server’s identity.
Fortunately, there are different ways to fix the “authenticity of host can’t be established” error and ensure a smooth and secure connection. For instance, you may need to create a self-managed Certificate Authority (CA), upgrade your SSH software, or verify the remote host.
In this post, we’ll take a closer look at the “authenticity of host can’t be established” error. Then, we’ll run through some common causes and discuss eight simple fixes. Let’s get started!
What Is the “Authenticity of Host Can’t Be Established” Error?
“Authenticity of host can’t be established” is a common error that mainly occurs when using SSH (Secure Shell). Typically, you’re required to authenticate the SSH connection with a password.
However, you can also authenticate it using public-key cryptography. This involves generating an SSH key pair that consists of a public and private key. The private key remains on your own system while the public key gets copied to the system you’re connecting to.
More often than not, you’ll be presented with this error message the first time you connect to the server via SSH. This is because the SSH client isn’t familiar with the server.
If you trust the server, you can go ahead and dismiss the error. This action will put the SSH key in your known_hosts file. Then, each time you connect, you can compare the key you get from the host to the one in your known_hosts file to verify the server’s identity.
If you have connected to the server before, the “authenticity of host can’t be established” error suggests that the server has been reconfigured with a new key. However, this message can also indicate a problem.
For example, it might be the case that someone is impersonating the server’s identity and will be able to intercept any data that is sent via the connection. We’ll take a closer look at the main causes in the next section.
What Causes the “Authenticity of Host Can’t Be Established” Error?
There are multiple causes behind the “authenticity of host can’t be established” error. Here are some of the most common ones:
- The remote host’s public key has changed. While this typically means that the server has been updated, it can also indicate that the host has been compromised. In this instance, an attacker might be trying to impersonate the host.
- The client hasn’t connected to the remote host before. If this is the case, the SSH is not familiar with the server and may therefore return an error.
- Multiple host keys. A server can have multiple host keys such as ECDSA and RSA. If you’re using the wrong key, you might be presented with the error.
- The host’s key has been deleted or corrupted. In this instance, an SSHException will be raised, producing the “authenticity of host can’t be established” error.
- The remote host’s DNS is misconfigured. A misconfigured Domain Name System (DNS) may connect you to a host with an incorrect host key.
- A man-in-the-middle attack. The error may be a sign that an attacker is intercepting the connection between you and the remote host.
For better security and performance, it’s important that you choose a quality hosting service. With Kinsta’s Application Hosting, you can run your projects on the Google Cloud Platforms infrastructure:
Additionally, the platform is backed by Cloudflare’s enterprise-grade security solutions. These include a firewall and DDoS protection.
What’s more, you can access free SSL certificates or install custom ones. Meanwhile, thanks to our usage-based pricing model, it’s easy to scale your resources as your business grows.
How To Fix the “Authenticity of Host Can’t Be Established” Error (8 Methods)
Now that you know a bit more about the “authenticity of host can’t be established” error, let’s take a look at eight ways to fix it.
1. Check Your Connection
The first way to solve the “authenticity of host can’t be established” error is to make sure the network connection is stable. Additionally, it’s a good idea to check that there’s nothing blocking the connection.
For example, you might be running an antivirus program or have a Web Application Firewall (WAF) activated. This can interfere with the connection, so you might want to temporarily disable the software to try and clear the error message.
2. Replace the IP Address
A lot of people mistakenly assume that each remote server has only one key when in fact, a server can have multiple host keys. So, you might be using the RSA host key, but the server is presenting you with an ECDSA host key.
Therefore, you’ll see an error message because the host key is different. If you’ve configured the HostKeyAlgorithms option explicitly, SSH will honor it and prefer the algorithms you’ve specified.
You can look in your ~/.ssh/config file and /etc/ssh/ssh_config files to see if that’s the case. If so, add an entry to your ~/.ssh/config file like this:
# Update with the real IP address. Host 192.0.2.1 HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-rsa
It’s important to note that this enables the use of SHA-1 signatures. SHA-1 signatures are no longer considered secure since the vulnerabilities are well-known. Therefore, if you know the server supports SHA-2 signatures, you can remove the command.
It might also be the case that the system doesn’t use hashed entries. Therefore, the entry you’ve explicitly added might not be correct.
In this scenario, you’ll have to check the same configuration files for HashKnownHosts and adjust the entry accordingly. You can also use ssh-keygen -F 192.0.2.1 -l (replacing the IP address) to see if there’s a match for the entry.
3. Skip the Host Key Checking
There are instances when the “authenticity of host can’t be established” error message is harmless. For example, the host key may have been changed in a legitimate way if the server has been updated or reconfigured recently.
If this is the case, you can skip the key-checking procedure by sending the key to a null known_hosts file. In this file, you’ll need to add the following entry:
$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" user@host
You can also set up these options permanently in ~/.ssh/config (for the current user). If you want to set it up for all users, use /etc/ssh/ssh_config instead.
4. Create Your Own Self-Managed Certificate Authority (CA)
Web browsers have X509 root certificates pre-installed which lets you trust the Secure Sockets Layer (SSL) certificates of sites you’ve never visited before. While some SSH clients support X509 or PKI, others do not. This means you can’t use an SSL certificate from VeriSign to bypass the authenticity prompt if the client doesn’t support it.
However, you might be able to clear the “authenticity of host can’t be established” error by creating your own self-managed Certificate Authority (CA). Then, you can sign into the server. Plus, any client with your public key will automatically trust your servers.
To get started, you’ll need to generate an SSH key pair. You can do this with the following entry:
ssh-keygen -f cert_signer
Then, you can sign each server’s public host key as such:
ssh-keygen -s cert_signer -I cert_signer -h -n www.example.com -V +52w /etc/ssh/ssh_host_rsa_key.pub
This generates a signed public host key:
/etc/ssh/ssh_host_rsa_key-cert.pub
Now, navigate to your /etc/ssh/sshd_config file. Here, you can point the HostCertificate to this file: HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub.
Then, restart the SSH service. On the SSH client, you’ll need to add the following code to the known_hosts file:
@cert-authority *.example.com ssh-rsa AAAAB3Nz...cYwy+1Y2u/
This entry includes:
- The certificate authority
- The domain (example.com)
- The full contents of the public key
The error should now disappear, as the cert_signer public key will trust any server whose public host key is signed by the cert_signer private key.
5. Upgrade the SSH Software
Another solution for the “authenticity of host can’t be established” error is to upgrade your SSH client software to make sure you’re using the latest version. This way, you can be certain that your software is compatible with the remote host.
Updates often come with bug fixes and security patches that improve the stability and security of the connection. Once you’ve updated the software, you should be able to proceed without seeing the error message.
6. Verify the Remote Host
You might also be presented with the “authenticity of host can’t be established” error if the host key is incorrect or expired. Therefore, you might want to check that the remote host’s key is correctly generated and that it’s still valid.
By doing this, you can verify that the remote server is online and available for connections. Meanwhile, you can ensure that the host key is correct. This way, you can confirm that you’re connecting to the right server (and not a malicious server posing as the target server).
To get started, check the remote host using the “ssh-keyscan” command:
ssh-keyscan example.com
This retrieves the public key of the remote host and displays it on your terminal. Then, you can compare this key with the key stored in your known_hosts file (or with the key provided by the server’s administrator).
If the keys match, the remote host is likely to be the correct server. However, if the keys don’t match, it’s best to report the issue to the server administrator and halt the connection.
7. Remove the Old Host Key
The “authenticity of host can’t be established” error can also mean your host key has changed. Therefore, you might be able to fix the error by removing the old key from your known_hosts file.
The remote server’s key may have been updated due to a change in the server’s configuration or a security breach. In this case, the old host key won’t match the new one, and it will trigger an error.
All you need to do is delete the entry for the remote host’s public key that is stored in known_hosts. To do this, use the following command:
ssh-keygen -R example.com
This will remove the entry from the known_hosts file. Then, the next time you try to connect to the server via SSH, you’ll need to verify the new host key.
8. Flush Your DNS
Lastly, it may be the case that your host’s Domain Name System (DNS) is misconfigured. This can lead to connecting to a host with the wrong key, resulting in the “authenticity of host can’t be established“error.
The easiest way to solve this issue is to flush your DNS. To do this, open the Windows Command Prompt by typing “cmd” into the search bar:
Then, enter the following SSH command:
ipconfig/flushdns
This should clear the error and enable you to connect to the server.
Summary
The “authenticity of host can’t be established” error typically occurs when you try to connect to a server via SSH. It may indicate that the server has been reconfigured. However, it can also mean that the server has been compromised.
If it’s your first time making the connection, it’s normal to see this error message and you can simply ignore it. If not, you may need to verify the host to make sure that you’re connecting to the right server. You might also need to delete the old host from the known_hosts file or upgrade your SSH software.
Another easy way to increase security on your application is to use a quality host like Kinsta. All our plans offer top-quality support to help troubleshoot any issues you may encounter!
