Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license CC4-BY
posted in category Software Development & Programming / Ruby
posted at 19. Apr '25

Howto Fix Net::SSH::HostKeyUnknown

Last week I wanted to deploy and I’ve seen a very weird error coming from net/ssh - Net::SSH::HostKeyUnknown. And honestly originally I didn’t even wanted to handle this as I just had a bad month.

But well, I got myself together and then I had to dig into the source code to find out that host keys (SSH keys provided by a server) is empty. Which is weird.

And with ssh command it worked just fine. Which is even weirder.

OK, so current myrtana server was installed long time ago, in September 2013. But I update it regularly, not like 4chan server from 2016.

root@starz:~/oldssh# ls -lah
total 17K
drwxr-xr-x  2 root root   10 Apr 20 00:33 .
drwx------ 21 root root   37 Apr 20 00:33 ..
-rw-------  1 root root  668 Sep  3  2013 ssh_host_dsa_key
-rw-r--r--  1 root root  598 Sep  3  2013 ssh_host_dsa_key.pub
-rw-------  1 root root  227 Feb  8  2018 ssh_host_ecdsa_key
-rw-r--r--  1 root root  172 Feb  8  2018 ssh_host_ecdsa_key.pub
-rw-------  1 root root  399 Feb  8  2018 ssh_host_ed25519_key
-rw-r--r--  1 root root   92 Feb  8  2018 ssh_host_ed25519_key.pub
-rw-------  1 root root 1.7K Sep  3  2013 ssh_host_rsa_key
-rw-r--r--  1 root root  390 Sep  3  2013 ssh_host_rsa_key.pub

and something is wrong with one of these keys. I haven’t found an issue regarding this in https://github.com/net-ssh/net-ssh which meant I was on my own.

  • move ssh_host_* from /etc/ssh into /root/oldssh to back them up
  • run ssh-keygen -A to generate host keys again

I use default config with commented out HostKey lines:

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

which means it generated all three. The result:

-rw------- 1 root root    505 Apr 20 00:34 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    172 Apr 20 00:34 ssh_host_ecdsa_key.pub
-rw------- 1 root root    399 Apr 20 00:34 ssh_host_ed25519_key
-rw-r--r-- 1 root root     92 Apr 20 00:34 ssh_host_ed25519_key.pub
-rw------- 1 root root   2590 Apr 20 00:34 ssh_host_rsa_key
-rw-r--r-- 1 root root    564 Apr 20 00:34 ssh_host_rsa_key.pub
  • restart or reload SSH server with /etc/init.d/sshd restart or systemctl restart sshd
  • show new server fingerprint:
root@starz:/etc/ssh# ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
256 SHA256:3zYCAybTLCpMupQNeuhCF9Oy9wjklh1I7pTHoJ5Wzk8 root@starz (ED25519)
  • remove old shit from known_hosts:
ssh-keygen -f '/home/damon/.ssh/known_hosts' -R 'myrtana.sk'

otherwise you will see:

damon@rapthalia:~/oni_sorceress$ ssh myrtana_sk@myrtana.sk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:3zYCAybTLCpMupQNeuhCF9Oy9wjklh1I7pTHoJ5Wzk8.
Please contact your system administrator.
Add correct host key in /home/damon/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/damon/.ssh/known_hosts:9
  remove with:
  ssh-keygen -f '/home/damon/.ssh/known_hosts' -R 'myrtana.sk'
Host key for myrtana.sk has changed and you have requested strict checking.
Host key verification failed.
  • verify new SSH fingerprint on the server with new fingerprint shown by ssh command
  • this has to match and then you are good to go. You’ll get a new line in known_hosts similar to this:
|1|BG7ScoyOjJs6xFKCvhSs1GbAV2Q=|isEqsJ0lbZr3B+iMj1Y3iLpU44w= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjN10bhUBGOjO65azVt1DEKwyGpoKLSp2OBctLtjf9k
  • if not, maybe you fingerprinted wrong type of key or your government doesn’t like you
  • now it works, including capistrano

Honestly I’m not sure what’s wrong, but net-ssh saw better days therefore I’m fine with less precise solutions. Please, I don’t want to debug net-ssh for two weeks. I guess DSA key might have been the issue. Or bad prime numbers in RSA key, dunno. Or broken ED25519 key since it was used as a first choice. Yeah, also hashed hosts in known_hosts suck. I’ll have to check if it has a reason or it serves as another BDSM tool.

Add Comment