tl;dr: I copied the text in the Host Keys section of the panel into my .ssh/known_hosts file, but the server identifies itself by a different key. Email support doesn’t seem to understand.
Long version: I’m an experienced Linux user and I use SSH every day at work. I’m by no means a security or administration expert, but I know my way around.
I bought a DreamHost VPS the other day and added a user to it in the panel (seems kind of odd how user names aren’t unique per instance – I’m not missing anything, right?) Ran ‘ssh email@example.com’ and got the usual “The authenticity of host … can’t be established”. Oh yeah, I should add the server’s public key to .ssh/known_hosts.
So I go visit the panel and I see that there’s an “SSH Keys” option under Users. Great! And it even has the known_hosts file syntax there so I don’t have to bother comparing fingerprints.
Except it doesn’t work. Text copied into known_hosts, tried again, got the REMOTE HOST IDENTIFICATION HAS CHANGED message.
Okay… I’m pretty sure this is a configuration error, so I turn off host key checking (-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no) and confirm that I can, actually, log in to the server. But I’d rather, you know, check the fingerprint. Even if I’m 99.8% sure I’m not being MITM’d, it’s just good sense.
I contacted support and got an email back pointing me to https://help.dreamhost.com/hc/en-us/articles/217239087-Updating-host-keys. All the proposed “solutions” on that page just deal with removing the wrong key(s) from .ssh/known_hosts; they don’t address verifying the correct key. (The page even has a dramatic message about this making you vulnerable to MITM attacks.) So I responded to clarify my issue and got another email back saying to run ssh-keygen -R $hostname, which is the same thing the first guy proposed.
So I’m operating on the assumption that email support is, let’s put this nicely, not completely understanding my issue. But, for now, I’m willing to keep trying. How do I get in touch with someone who can tell me what to put in .ssh/known_hosts?