Skip to content

SSH Settings

This page covers additional SSH configuration options needed to overcome errors encountered when connecting to some platforms.

Warning: Remote Host Identification Has Changed

When connecting to a device via SSH, Linux stores a fingerprint of the remote device. If this fingerprint changes, the user will be shown a warning and prevented from connecting. This is an important security feature when connecting to a remote server, but when connecting to an embedded system this check will often fail on each reboot. This is because many embedded devices are configured to use non-persistent root filesystems.

An example of the warning message is shown below: 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:7NqoKGxzndzm9Yjnu5GY/DW5e0y4UXZckC8j4veAsO8.
Please contact your system administrator.
Add correct host key in /home/opencpi/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/opencpi/.ssh/known_hosts:1
RSA host key for 10.0.2.2 has changed and you have requested strict checking.
Host key verification failed.

Temporary Fix

A simple workaround to this issue is to just delete or edit the known_hosts file that is storing the incorrect key for the remote system.

On the development host (the machine that you are connecting to the embedded device from), run one of the following commands:

# Either edit the file and delete just the line that 
# starts with the IP address of the embedded device
nano ~/.ssh/known_hosts
# OR delete the whole file (not recommended)
rm -f ~/.ssh/known_hosts

Use ssh to connect to the remote device. The warning should no longer be seen. It is necessary to repeat this process each time the embedded device is rebooted.

Permanent Fix

To prevent the need to clear the known_hosts file on each reboot, StrictHostKeyChecking can be disabled for the embedded device.

On the development host (the machine that you are connecting to the embedded device from), run the following command: 

nano ~/.ssh/config
Add the lines below to the configuration file, making sure to replace the IP address with the IP address of the embedded system you are connecting to. 
Host 10.0.2.2
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

Note

You can use a host of * to disable StrictHostKeyChecking for all remote devices. This is not recommended.

Warning: No matching host key type found

When using newer Linux distributions to connect to older embedded systems, it is common to find that the key types supported by the embedded system are no longer allowed by the SSH client. The following warning is shown:

Unable to negotiate with 10.0.2.2 port 22: no matching host key type found.
Their offer: ssh-rsa

To solve this, on the development host (the machine that you are connecting to the embedded device from), run the following command: 

nano ~/.ssh/config

Add the lines below to the configuration file, making sure to replace the IP address with the IP address of the embedded system you are connecting to. 

Host 10.0.2.2
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

Note

You can use a host of * to update the supported algorithms for all remote devices. This is not recommended.