I'm getting "SSH Key mismatch: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!"

[BigFreddy]

Hi,

I have nuked old installation of my OPNSense, did a new install then proceeded to do the initial configuration via the web GUI followed by restoring the old config via the web browser in the said web gui. I then tried SSHing into my firewall and was greeted with this error:

Code Select Expand

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@  WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!  @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
ECDSA Key here
Please contact your system administrator.
Add correct key in system path here/known_hosts to get rid of this message.
Offending ECDSA key in system path here/known_hosts:1
remove with:
command to remove it
ECDSA host key for IP Here has changed and you have requested strict checking.
Host key verification failed.

So my questions are:

1) Does major upgrade of the Firewall from one version to another major one could cause to rotate SSH keys ?
2) Does reinstalling the firewall, doing the initial setup in Web GUI followed by restore of the configuration file via web gui would change SSH keys ?

I'm wondering if something nefarious is happening on my firewall as reading online, restoring config file to OPNSense should still retain the old SSH Keys but it this case this haven't happened.

Thanks

[Patrick M. Hausen]

2) Does reinstalling the firewall [...] change SSH keys?

Yes. This is expected. The keys are generated when a host first boots after installation. Remove the old key(s) from your ~/.ssh/known_hosts and acknowledge the new one(s).