How to verify the SSH fingerprint at Kinsta

When you access a server via SSH or SFTP/FTP you will receive a “fingerprint” from the server to confirm that it matches any existing “known hosts”. The known host is added to your computer when you first access the server. A change in the fingerprint could signal that you’re suffering from a “man-in-the-middle attack, ” meaning that a hacker is impersonating the host to intercept your data.

The fingerprint can also change if the site installation has been restored from a backup or copy of another site.

At Kinsta, you can check what the correct fingerprint is by typing the following command:

ssh-keygen -l -E sha256 -f <(cat /etc/ssh/ssh_host_*_key.pub)

Funny thing about that solution: you’d have to access via SSH to run that command.

So you would need to disregard the “man in the middle attack” message, clear your known hosts and then run that command after SSH’ing in.

The way WP Engine gets around this is by having a defined fingerprint that doesn’t change. WP Engine provided a nice article on how to verify your fingerprint here.

Kinsta has an article about How To Fix the “Warning: Remote Host Identification Has Changed” Error but that only clears the record in known hosts. Theoretically, if you remove the known hosts record without confirming what the correct fingerprint should be, you could be opening yourself up to that “man-in-the-middle attack”. So this is a bit of a head-scratcher to me.

To remove the error, you can do the following on a Mac.

  1. Open Terminal
  2. Type nano ~/.ssh/known_hosts
  3. Hit Control-w to enter search mode
  4. Locate the Host IP address and port number from the error message (looks something like this format [123.456.789.101]:12345) and paste it into Terminal, hitting enter to search
  5. If it exists in the known_hosts record, Terminal will jump to that line
  6. Hit Control-k to delete that line
  7. Hit Control-o and Enter to write to the file (a.k.a. “save” the file)
  8. Hit Control-x and Enter to leave the nano editor

You should now be able to access the Kinsta site via SSH. For more information, view the Kinsta documentation on How to connect to SSH at Kinsta.

Note: this article contains affiliate links to Kinsta and WP Engine. Use them to help us continue to create helpful content.

If you don’t want to fuss with hosting issues, let us manage your hosting. Contact us today to get started.