0

This morning PyCharm started warning me:

Warning: remote host identification has changed! IT IS 
POSSIBLE THAT SOMEONE IS DOING SOMETHING 
NASTY! Someone could be eavesdropping on you 
right now (man-in-the-middle-attack)! It is also 
possible that the host key has just been changed. The 
fingerprint for the ssh-ed25519 key sent by the 
remote host is
[redacted A]

Do you want to update the key in
/Users/[myhome]/.ssh/known_hosts and resume 
connecting?

Then it asks if I want to change ~/Users/[myhome]/.ssh/known_hosts.

The target host is used as an sftp to transfer my code to the remote server. Its name is an alias for two data transfer nodes. I can look at their ssh public keys using ssh-keyscan -t ed25519 alias.remotehost.com and I get a key that matches the one in my known_hosts file. I can also connect to a different remote server, at which time I do not get a warning about changed ssh keys, and ssh-keyscan the original remote host and I get the same keys in known_hosts.

The key that PyCharm says is new does not match any of the now twice confirmed ssh keys. The format of the PyCharm-message-derived key is even totally different from the keys from ssh-keyscan.

What is going on? I don't want to just blast through a security warning, and I'd like some guidance on where to look to see why PyCharm is giving me this warning that I cannot confirm otherwise.

Finncent Price
  • 543
  • 1
  • 8
  • 20

1 Answers1

0

The reason is not necessarily a security issue. Did you double-check your SSH configuration, in particular the known_hosts file used by PyCharm is the same you're checking?
https://man.openbsd.org/ssh_config#UserKnownHostsFile

You may want to take a look at the PyCharm SSH Configurations ... Connection Parameters; for example the different format you're seeing might be related to storing hosts in hash format option (to be confirmed):
https://www.jetbrains.com/help/pycharm/settings-tools-ssh-configurations.html

You can try to recreate a SSH configuration from scratch as described here:
https://www.jetbrains.com/help/pycharm/create-ssh-configurations.html

If you're 100% sure that the key in the known_hosts file is the right one and matches your target server's, this will remove the entry in known_hosts file and you should be again prompted to accept the server key on the next connection:

ssh-keygen -R <host>

(where host is your target server, IP or hostname: "alias.remotehost.com" in your example; you can provide the path for the file using -f <path>)

References
ssh remote host identification has changed
https://stackabuse.com/how-to-fix-warning-remote-host-identification-has-changed-on-mac-and-linux/
https://youtrack.jetbrains.com/issue/CPP-19720

evilmandarine
  • 4,241
  • 4
  • 17
  • 40
  • These are some great suggestions, thank you. Unfortunately, none of them resolved the issue. PyCharm does appear to be using the same known_hosts file I am looking at, and the 'Hash hosts in known_hosts file' button isn't checked. – Finncent Price Jan 25 '22 at 00:23