REMOTE HOST IDENTIFICATION HAS CHANGED when accessing Stash git repo over ssh

Troubleshooting Git

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

When using git clone, push, fetch or pull to or from a repository hosted in Stash over ssh, or when using ssh to access the machine Stash is hosted on, the user receives an error due to mismatched server ssh keys, e.g.:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
13:c9:f6:9d:c1:67:16:95:69:27:08:4a:c9:16:62:75.
Please contact your system administrator.
Add correct host key in /home/USER/.ssh/known_hosts to get rid of this message.
Offending key in /home/USER/.ssh/known_hosts:1
RSA host key for stash.customer.com has changed and you have requested strict checking.
Host key verification failed.
fatal: The remote end hung up unexpectedly

This can happen when using git with a Stash ssh url or ssh itself.

Diagnosis

The user is attempting to access the machine Stash is hosted on via ssh, as well as accessing Stash hosted repositories over ssh.

The Stash ssh server and the normal ssh server on the machine hosting Stash have different key-pairs, and the users version of ssh is not differentiating between the ssh servers running on the same machine on different port numbers. For example, in a standard set up:

  • 22: the normal ssh server for shell access
  • 7990: the Stash ssh server for ssh git access

Cause

OpenSSH clients previous to 4.4 are not able to differentiate between ssh servers running on the same machine on different ports when detecting changed server keys. 

Type ssh -v to determine the version number of ssh: 

$ ssh -v
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011

Workaround

There are a number of workarounds, see http://serverfault.com/questions/141553/how-to-make-ssh-match-known-hosts-to-host-ipport-instead-of-just-host-ip.

Resolution

  • Upgrade the version of ssh on the clients machine to a version of ssh greater than or equal to 4.4.

  • Remove all entries for the machine hosting Stash from the users ~/.ssh/known_hosts file

     

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.