执行ssh-copy-id报错REMOTE HOST IDENTIFICATION HAS CHANGED

---

一、问题描述

执行 ssh-copy-id 复制公钥时报错：

[root@localhost .ssh]# ssh-copy-id 192.168.1.20
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
ERROR: Someone could be eavesdropping on you right now (man-in-the-middle attack)!
ERROR: It is also possible that a host key has just been changed.
ERROR: The fingerprint for the ECDSA key sent by the remote host is
ERROR: SHA256:hLIfltlMl6yklXMef6jV7+223344555555556.
ERROR: Please contact your system administrator.
ERROR: Add correct host key in /root/.ssh/known_hosts to get rid of this message.
ERROR: Offending ECDSA key in /root/.ssh/known_hosts:3
ERROR: ECDSA host key for 192.168.1.20 has changed and you have requested strict checking.
ERROR: Host key verification failed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

二、解决方法

考虑为密钥不匹配，查看是否存在旧密钥：

ssh-keygen -l -f ~/.ssh/known_hosts
1

[root@localhost .ssh]# ssh-keygen -l -f ~/.ssh/known_hosts
256 SHA256:5SE+2cIdoP/IeYZgWnTa/w55555666777777 192.168.1.20 (ECDSA)
1
2

重新生成密钥：

ssh-keygen -R 192.168.1.20
1

[root@localhost .ssh]# ssh-keygen -R 192.168.1.20
# Host 192.168.1.20 found: line 3
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
[root@localhost .ssh]# ssh-copy-id 192.168.1.20
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
ECDSA key fingerprint is SHA256:hLIfltlMl6yklXMef6jV7+3RSpcLk6cKakWEwwwww.
ECDSA key fingerprint is MD5:5d:20:23:b5:4e:ca:dc:e1:48:3d:75:11:22:aa:62:c8.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.20's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.1.20'"
and check to make sure that only the key(s) you wanted were added.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

再次执行 ssh-copy-id 成功：

ssh-copy-id 192.168.1.20
1

[root@localhost .ssh]# ssh-copy-id 192.168.1.20
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
ECDSA key fingerprint is SHA256:hLIfltlMl6yklXMef6jV7+3RSpcLk6cKakWEwwwww.
ECDSA key fingerprint is MD5:5d:20:23:b5:4e:ca:dc:e1:48:3d:75:11:22:aa:62:c8.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.20's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.1.20'"
and check to make sure that only the key(s) you wanted were added.
1
2
3
4
5
6
7
8
9
10
11
12
13
14