This document explains the SSH host key verification warnings that occur during VM development and how to resolve them.
When running make test or redeploying VMs, you may see this SSH warning:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:+Nz297ofVtHngVzqvoWG+2uimLW4xtjVCf9BPVw8uQg.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:198
remove with:
ssh-keygen -f '/home/user/.ssh/known_hosts' -R '192.168.122.25'
Password authentication is disabled to avoid man-in-the-middle attacks.
This is normal behavior in VM development environments because:
- VMs get destroyed and recreated with new SSH host keys
- IP addresses get reused by the DHCP server (libvirt assigns IPs like
192.168.122.25) - SSH remembers old host keys in
~/.ssh/known_hostsfor security - New VM has different host key for the same IP, triggering the security warning
The project includes automatic SSH known_hosts cleanup:
# Clean SSH known_hosts for current VM
make ssh-clean
# Clean and test SSH connectivity
make ssh-prepare
# Clean all libvirt network entries
./infrastructure/scripts/ssh-utils.sh clean-allIf you encounter the warning, follow the SSH suggestion:
# Remove the specific IP from known_hosts (replace with your VM's IP)
ssh-keygen -f ~/.ssh/known_hosts -R 192.168.122.25Connect once with StrictHostKeyChecking disabled to accept the new key:
# Replace with your VM's IP address
ssh -o StrictHostKeyChecking=no torrust@192.168.122.25The infrastructure scripts now automatically clean SSH known_hosts during deployment:
- During
make infra-apply: Cleans libvirt network range before deployment - After VM creation: Cleans specific VM IP from known_hosts
- SSH utilities: Available via
make ssh-cleanandmake ssh-prepare
SSH host key verification protects against:
- Man-in-the-middle attacks
- Server impersonation
- Connection hijacking
For local VM development, this warning can be safely ignored because:
- Local network: VMs run on isolated libvirt network (
192.168.122.0/24) - Development environment: Not production traffic
- Known behavior: Expected when VMs are recreated
- Controlled environment: You control the VM creation process
In production environments:
- Keep host key verification enabled
- Investigate unexpected key changes
- Use static IP assignments when possible
- Consider certificate-based authentication
The SSH utilities script (infrastructure/scripts/ssh-utils.sh) provides:
clean_vm_known_hosts(): Remove entries for specific VM IPclean_libvirt_known_hosts(): Clean entire libvirt network rangeprepare_vm_ssh(): Automated cleanup and connectivity testingget_vm_ip(): VM IP detection from Terraform/libvirt
- ADR-005: Sudo Cache Management
Related infrastructure UX improvements - Local Testing Setup - Complete development environment setup
- Integration Testing Guide - Full testing procedures
| Command | Purpose |
|---|---|
make ssh-clean |
Clean known_hosts for current VM |
make ssh-prepare |
Clean known_hosts and test SSH connectivity |
ssh-utils.sh clean-all |
Clean entire libvirt network range |
ssh-utils.sh clean [IP] |
Clean specific IP address |
ssh-utils.sh get-ip |
Get current VM IP address |