🟡 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: CentOS Stream 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Clients see ‘REMOTE HOST IDENTIFICATION HAS CHANGED’ after server rebuilds.

Environment & Reproduction

Common after re-imaging without re-using the prior host keys.

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub

Root Cause Analysis

Client known_hosts still holds the previous host key fingerprint.

Quick Triage

Capture the new fingerprint and current sshd config.

for k in /etc/ssh/ssh_host_*_key.pub; do ssh-keygen -lf $k; done

Step-by-Step Diagnosis

Distribute the new fingerprints via a trusted channel.

ssh-keyscan -t ed25519 $(hostname) > /tmp/newhost.pub
sha256sum /tmp/newhost.pub
Illustrative mockup for centos-stream-10 — ssh_hostkey_warn
Host key changed warning — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Update clients to remove stale entries and accept the new key.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

ssh-keygen -R server.example.com
ssh server.example.com
Illustrative mockup for centos-stream-10 — ssh_hostkey_ok
Trusted host key — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Use SSH CAs so host key rotation does not warn clients.

ssh-keygen -s ca_key -h -I server -n server.example.com /etc/ssh/ssh_host_ed25519_key.pub

Verification & Acceptance Criteria

Clients connect without warnings using the new fingerprint.

ssh -o StrictHostKeyChecking=ask server.example.com 'true'

Rollback Plan

Restore the prior /etc/ssh/ssh_host_* keys from backup if needed.

cp /var/backups/sshhostkeys/* /etc/ssh/ && systemctl restart sshd

Prevention & Hardening

Backup host keys before reinstall and adopt SSH CAs.

tar -czf /var/backups/ssh_hostkeys.$(date +%F).tgz /etc/ssh/ssh_host_*

Host key warnings, MITM warnings, scripted SSH failures.

Related tutorial: View the step-by-step tutorial for centos-stream-10.

View all centos-stream-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

OpenSSH CA howto, ssh-keyscan docs.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.