How to resolve "Host key verification failed." error while generating TechSupport File

How to resolve "Host key verification failed." error while generating TechSupport File

2660
Created On 03/27/23 05:59 AM - Last Modified 04/09/25 20:13 PM


Objective


  • When the firewall is used as a client to SSH onto a remote system (e.g., when using SCP to copy files over), it keeps a record of the public certificate of the remote system with the corresponding IP address.
  • The remote systems certificate sometime gets changed due to perhaps due to a transition from a self-signed cert to a public signed certificate or generation of a new certificate and key pair.
  • When the remote system's certificate has changed, the old SSH public certificate stored in the firewall will need to be deleted.
  • The article helps understand and resolve this issue.
  • The example of the error message is as below.
Finish generating tech support.
The authenticity of host 'tacupload.paloaltonetworks.com (199.167.52.81)' can't be established.
RSA key fingerprint is SHA256:h9thiu2iiPrzNw2quEqHhLlF3RTmBeVsXg0R18aR3/s.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'tacupload.paloaltonetworks.com,199.167.52.81' (RSA) to the list of known hosts.
Welcome to the TAC Upload Service. 
  • When the above fingerprint changes, we get the error below:
Finish generating tech support.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:h9thiu2iiPrzNw2quEqHhLlF3RTmBeVsXg0R18aR3/s.
Please contact your system administrator.
Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message.
Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
RSA host key for tacupload.paloaltonetworks.com has changed and you have requested strict checking.
Host key verification failed.
lost connection

 

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • Certificates

Procedure


Use below command to delete the SSH fingerprint for the respective users, based on the error message highlighted.

admin@PA-VM> delete authentication user-file ssh-known-hosts 
> self   Delete ssh-known-hosts file for self
> user   user 

admin@PA-VM> delete authentication user-file ssh-known-hosts self 
ssh-known-hosts file doesnot exist yet for admin


 

Additional Information


The command for Panorama/Log collector is different. Refer to Warning: Remote Host Identification has changed
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHWCCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail