SSH "remote host identification has changed" warning, but it's not so simple

I'm getting this warning when trying to log in to my OpenWRT router (TP-Link Archer AX23) using SSH from my Android phone with Admin Hands app. But I'm not getting this message when trying to log in with SSH from my laptop running Linux. Both are connected to the router via the same wifi SSID. So why would only my phone show this message?

I am also having a lot of internet packet loss. I can't tell whether it is a problem with my ISP or with my router.

Could an internet packet loss problem cause the SSH error? Or is someone actually "doing something nasty"? I consider my wifi password and my root password to be pretty good. But then again, you can never be too sure. Also, I never share this SSID with anyone. I have an isolated SSID for other people. The main SSID is used only by me, so the connected devices should be trusted.

The error on my phone is showing a host Ed25519 key fingerprint that looks like a long mac address with 32 hexadecimal digits. Is there a way to verify it from SSH login from my laptop (as my laptop is showing no such warning)? I don't want to use LuCI at the moment as I'm concerned about a possible man-in-the-middle. Highly unlikely though.

Could there be any other explanation? Thanks.

UPDATE: Confirmed that it is a problem with my wifi. Just connected via ethernet from another PC, and the packet loss issue is gone. Moreover, I'm getting unusual latency and packet loss when pinging the router itself from my laptop connected via wifi. So could this be the reason for the SSH error? And how do I fix this? Thanks.

UPDATE 2: * sighs * The guest wifi wasn't causing the packet loss. Disabling it fixed it temporarily, but it came back again. The reason was a slight repositioning of the USB wifi adapter which resulted in the signal being blocked somehow. After moving the adapter to the other side of the laptop and closer to the router, the packet loss issue seems to be fixed completely. Just another day in tech, the problem is often in the last place you look.

No, SSH runs over TCP which compensates for intermittent packet loss.

Sounds like Admin Hand shows fingerprints using MD5. (OpenSSH shows fingerprints using SHA256 nowadays.) Suppose you use this command on your laptop to connect to the router:

ssh root@OpenWrt.lan

Then, assuming you're running OpenSSH on your laptop, use this command to see the fingerprint the laptop sees:

ssh-keygen -l -E md5 -F OpenWrt.lan

Replace OpenWrt.lan with whatever domain or IP address you usually use.

Might be a bug in Admin Hand. Test with an alternative SSH client like ConnectBot and see if you get the same warning.

This can also happen if you reinstall OpenWrt without saving the configuration. A fresh OpenWrt will always generate new keys, which is going to be different from any previously cached host keys.

1 Like

Awesome! Thanks. Managed to verify the SSH fingerprint using the ssh-keygen command you said. I think the reason Admin Hands was showing this error was because I may have never connected to the router from the app after I had changed the router a while ago (I juggle multiple routers, so it does get a bit cloudy at times). I used the same local IP and root password as the old router, but of course the SSH fingerprint changed with the new router, hence the error.

The packet loss issue seemed to be caused by my guest wifi SSID for some reason. It's fine now after disabling the guest wifi. Maybe my router is having trouble managing 2 concurrent wifi SSIDs. Guess I'll have to figure something out for that. Thanks again!

This seems to be the most likely explanation. Glad to hear that at least this part has been figured out!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.