I'm getting "SSH Key mismatch: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!"

Started by BigFreddy, March 26, 2026, 09:07:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 26, 2026, 09:07:01 AM
Hi,

I have nuked old installation of my OPNSense, did a new install then proceeded to do the initial configuration via the web GUI followed by restoring the old config via the web browser in the said web gui. I then tried SSHing into my firewall and was greeted with this error:

Code Select
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@  WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!  @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
ECDSA Key here
Please contact your system administrator.
Add correct key in system path here/known_hosts to get rid of this message.
Offending ECDSA key in system path here/known_hosts:1
remove with:
command to remove it
ECDSA host key for IP Here has changed and you have requested strict checking.
Host key verification failed.

So my questions are:

1) Does major upgrade of the Firewall from one version to another major one could cause to rotate SSH keys ?
2) Does reinstalling the firewall, doing the initial setup in Web GUI followed by restore of the configuration file via web gui would change SSH keys ?

I'm wondering if something nefarious is happening on my firewall as reading online, restoring config file to OPNSense should still retain the old SSH Keys but it this case this haven't happened.

Thanks
March 26, 2026, 09:43:59 AM #1
Quote from: BigFreddy on March 26, 2026, 09:07:01 AM2) Does reinstalling the firewall [...] change SSH keys?

Yes. This is expected. The keys are generated when a host first boots after installation. Remove the old key(s) from your ~/.ssh/known_hosts and acknowledge the new one(s).
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 08:03:13 AM #2
Quote from: Patrick M. Hausen on March 26, 2026, 09:43:59 AM
Quote from: BigFreddy on March 26, 2026, 09:07:01 AM2) Does reinstalling the firewall [...] change SSH keys?

Yes. This is expected. The keys are generated when a host first boots after installation. Remove the old key(s) from your ~/.ssh/known_hosts and acknowledge the new one(s).

Thanks for confirming. Would SSH Keys be retained from the config file if I imported it during the Firewall install itself rather than in Web GUI after the installation ? I read somewhere on this forum that apparently the config file should retain the old keys if you import it that way but not sure if something changed with OPNSense over the years and its different now.
Today at 08:28:46 AM #3
I am not aware the host keys are saved in the configuration, but I might be wrong.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 03:12:46 PM #4
IMHO you should let the OpenSSH Server Keys simply be what they are and only take care of your own OpenSSH User Private/Public Keys.

I can remember upgrading FreeBSD in the past via the whole /usr/src/ and /usr/ports/ procedure and then from time to time you had to supply some random keystrokes to OpenSSH Server during the first boot after it was upgraded and I was perfectly fine with that! :)

Sometimes there also security related reasons for regenerating the keys, so if your Server does it then consider it on the Client side too !!



This is a story from the FreeBSD 4/5/6 era but it still applies today IMHO when it comes to the security aspect of it!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions