Does Google Cloud change the server' ssh keys automatically?

Question

I'm a new Google Cloud user. Today I've realized I can't connect any of my servers with this error message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:******.
Please contact your system administrator.
Add correct host key in /home/roberto/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/roberto/.ssh/known_hosts:9
  remove with:
  ssh-keygen -f "/home/roberto/.ssh/known_hosts" -R 10.10.10.10
ECDSA host key for 10.10.10.10 has changed and you have requested strict checking.
Host key verification failed.

Does Google automatically update/change the ssh keys of their servers?

score 3 · Accepted Answer · answered Nov 15 '19 at 18:17

Yes actually, Google Does change your hostkey in some cases.

For example, hostkey will change during host maintenance migrations if that is enabled.
The key will change if any changes are made requiring recreating the instance are needed: something as dumb as setting a scope, adding a service account, or even the lovely setting a description on an instance will force a replacement of a VM and the host key will change.

score 1 · Answer 2 · edited May 23 '17 at 12:41

1

Any time you SSH to your GCE VM using Google Cloud Console a new SSH key will be generated that will be expired after a few minutes. However, the WARNING message you have received can be because of a different reason.

Check out this post for a similar question.

Running ssh-keygen -f "/home/roberto/.ssh/known_hosts" -R 10.10.10.10 command should resolve your issue.

edited May 23 '17 at 12:41

Community

1

answered Jul 29 '16 at 02:45

Kamran

1,425
7
17

Thanks @Kamran, it worked for me with little modification on the MacOS For linux : ssh-keygen -f "/home//.ssh/known_hosts" -R For Mac : ssh-keygen -f "/Users//.ssh/known_hosts" -R – Rakshitha Muranga Rodrigo Feb 17 '19 at 19:12
It's helpful, but doesn't answer the original question. – weirdan Nov 15 '19 at 13:36

score 0 · Answer 3 · answered Jul 29 '16 at 04:11

Remove catched key on local machine:

ssh-keygen -R 10.10.10.10

It might not work so as second step you can do as instructed by the error here:

Add correct host key in /home/roberto/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/roberto/.ssh/known_hosts:9
  remove with:
  ssh-keygen -f "/home/roberto/.ssh/known_hosts" -R 10.10.10.10

Check that the host is not in /home/roberto/.ssh/known_hosts and if still there remove the host from the list manually.

If nothing of this works then you should know the following: Google does NOT change your keys for servers automatically. You could run with -vvv and post the output.

Does Google Cloud change the server' ssh keys automatically?

3 Answers3