ssh-keygen -R: Remove a Stale known_hosts Entry
ssh-keygen -R deletes all known_hosts entries for a host, the fix when its key has legitimately changed.
A rebuilt VPS gets a new host key, and the old known_hosts entry then blocks every connection. -R removes it cleanly so a fresh key can be added.
What it does
ssh-keygen -R removes every entry matching a hostname from the known_hosts file (default ~/.ssh/known_hosts, or -f for another). -H hashes the hostnames in a known_hosts file so they are not stored in plaintext. Both rewrite the file in place.
Common usage
# remove a stale host after it was rebuilt, then re-add
ssh-keygen -R host
ssh-keyscan host >> ~/.ssh/known_hosts
# operate on a custom file
ssh-keygen -R host -f ./known_hosts
# hash hostnames in a known_hosts file
ssh-keygen -H -f ~/.ssh/known_hostsOptions
| Flag | What it does |
|---|---|
| -R <host> | Remove all entries for the host |
| -f <file> | known_hosts file to edit (default ~/.ssh/known_hosts) |
| -H | Hash hostnames in the file |
| -F <host> | Find and print entries for a host |
In CI
On ephemeral runners you rarely need -R because known_hosts is rebuilt each job. It matters on persistent runners or shared caches where a rebuilt target keeps the old key around. After -R, re-add the new key with ssh-keyscan before connecting.
Common errors in CI
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! with "Offending key in ~/.ssh/known_hosts:N" is exactly the situation -R fixes; remove the host and re-scan. If -R reports nothing removed, the entry is hashed under a different name or the file path is wrong; use -F to locate it first.