This topic describes the cause of and solution to the issue that the "error: Unable to load host key: /etc/ssh/ssh_host_rsa_key" error message appears when you connect to a Linux Elastic Compute Service (ECS) instance by using an SSH client.
Problem description
You cannot connect to a Linux ECS instance by using SSH. After you log on to the instance by using Virtual Network Computing (VNC) and run the cat /var/log/secure or cat /var/log/messages command to view logs, the following error messages appear:
error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
error: Permissions 0777 for '/etc/ssh/ssh_host_rsa_key' are too open.
error: It is required that your private key files are NOT accessible by others.
error: This private key will be ignored.
error: Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
error: Unable to load host key: /etc/ssh/ssh_host_rsa_keyerror: Unable to load host key "/etc/ssh/ssh_host_rsa_key": invalid format
error: Unable to load host key "/etc/ssh/ssh_host_rsa_key": invalid format
error: Unable to load host key: /etc/ssh/ssh_host_rsa_key
error: Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": invalid format
error: Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": invalid format
error: Unable to load host key: /etc/ssh/ssh_host_ecdsa_keyCause
The preceding issue may occur because the sshd daemon cannot load correct SSH host keys due to exceptions in SSH host key files. The following exceptions may occur in SSH host key files:
Improperly configured permissions on the SSH host key files, which cause failure to read the files.
For example, the default permissions for a private key file are 600. If you change the permissions to a different value, such as 777, other users are also granted the permissions to read or modify the file. In this case, the SSH service considers the permission configuration as a security risk. As a result, SSH host keys cannot be loaded and the connection fails.
File anomalies, such as corruption, deletion, or tampering of the SSH host key files.
Solution
To resolve the issue, regenerate the SSH host key files by performing the following steps:
Connect to the Linux ECS instance by using VNC.
For more information, see Methods for connecting to an ECS instance.
Regenerate the SSH host key files.
sudo rm -f /etc/ssh/ssh_host_* sudo /usr/bin/ssh-keygen -A sudo chmod 600 /etc/ssh/ssh_host_* sudo chmod 644 /etc/ssh/*.pubRun the following command to check whether the SSH host key files are regenerated:
ls -l /etc/ssh
Restart the SSH service.
sudo systemctl restart sshd.service
What to do next
After new SSH host keys are configured, the following error messages appear when you run an SSH command to connect to the Linux ECS instance. This issue occurs because the fingerprints of the old SSH host keys are stored on your on-premises device. For information about how to resolve the issue, see The system prompts "Host key verification failed" when logging on to the ECS instance over SSH.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ae:6e:68:4c:97:a6:91:81:11:38:8d:64:ff:92:13:50.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:70
RSA host key for x.x.x.x has changed and you have requested strict checking.
Host key verification failed.