The Remote Host Identification Changed warning is designed to grab your attention and rightfully so. How should you respond to this warning?

jdeen@iMac:/Volumes/Dev/Work/WoA/WebSite|refactor/rails6
⇒  ssh ziyan@wonderof.asia
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:glCx/aXDqqLn9ozQdvTYFzPfm34A2uEB9l6gwmZVal4.
Please contact your system administrator.
Add correct host key in /Users/jdeen/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/jdeen/.ssh/known_hosts:38
ECDSA host key for wonderof.asia has changed and you have requested strict checking.
Host key verification failed.

The message boils down to the fact that the server seems to have changed since your computer remembered it. If the server wasn't changed or rebuilt this could be a result of a security breach.

Fix using ssh-keygen

The easiest way to address the issue is using ssh-keygen. Run the command with -R (remove) to remove the stored fingerprint. This way there will be no stored fingerprint to compare to and will not result in the error.

=> ssh-keygen -R <DOMAIN>.<EXT>
=> ssh-keygen -R wonderof.asia

Manual fix

You can also manually edit the file and remove the particular line. In the above example, it mentions /Users/jdeen/.ssh/known_hosts:38. What I need to do is to open the known_hosts file and delete line 38.

There are various ways to do it. You can open the file using your favorite editor and remove the particular line. My favourite editor is nvim (Neovim).

=> nvim  /Users/jdeen/.ssh/known_hosts

But I prefer to use sed to delete the line number. It's much cleaner.

=> sed -e '38d' /Users/jdeen/.ssh/known_hosts

Explanation: The option -e in sed means a command. What I am basically telling sed is to run the command 38d which in turn translates to "delete line number 38".

Why this happens

When you SSH into a remote server, your SSH client will check the server's RSA Key (aka host key fingerprint, host key, key fingerprint) with an RSA key on file for the domain name/IP. If it doesn't have a key on file, the SSH client will prompt you as follows:

=> ssh ziyan@wonderof.asia
The authenticity of host 'ziyan@wonderof.asia (178.128.60.212)' can't be established.
ECDSA key fingerprint is SHA256:glCx/aXDqqLn9ozQdvTYFzPfm34A2uEB9l6gwmZVal4.
Are you sure you want to continue connecting (yes/no)? 

Once you yes the prompt, it will store the fingerprint for the domain name. This host key will be used in later authentications.

Assume the server you are connecting to was reset (for example, an OS clean install). Then the RSA key of the server will change. The SSH client will check the new key and discover that it is different from the one on file. This could mean that you are experiencing a man-in-the-middle attack and the reason behind the warning message.