Handling error messages when your SFTP server changes

We recently got an inquiry about what to do when the server that you are connecting to for uploading your website with SFTP has changed.  SFTP is a secure file transfer method, much better than FTP, that uses your mac's SSH system to encrypt the data (and login information) that it uploads.

In order for SSH to be sure that your Mac is really talking to the same server computer, and that there isn't another computer impersonating the computer you were expecting to be talking to — this is called a "man in the middle attack" — your Mac stores a "signature" of the server, when you first connected to it. If that signature has changed — usually it's legitimate, such as when the server's computer is upgraded — then you will not be able to connect with SFTP. If you look at the publishing transcript from Sandvox (from the Help menu), you will see a warning something like this:


The RSA host key for … has changed, …

Of course this problem isn't specific to Sandvox, or even SFTP.  Any connection over SSH ("Secure Shell") will show this message if the server has changed. (See this forum post and this forum post for other examples of people having this kind of problem.)

Of course you do want to realize that the warning is there for a reason. It's probably a good idea to get in touch with your Internet host and tell them about the issue. Chances are very high that they will have a good explanation, and that it is not the case that somebody is trying to break into your connection and crack your website!  But it's a good idea to be watchful just the same.

As those forum posts point out, the solution is to get rid of the old signature, so that your Mac no longer remembers the server's information. When you then connect for the next time, it will remember this new signature.

If you are adept at the command line, you can probably find and edit (or delete) the file quickly. Since Mac users are not supposed to need the command line, however, this is how to do it.

In the Finder, Choose Go to Folder… from the Go menu.

Type or paste this (tilde, forward slash, period, ssh) into the input field: ~/.ssh

Click the Go button.

Now you will be viewing the contents of the ".ssh" folder in your home folder.  (It's normally a hidden folder.)

The quickest thing to do is to just drag the file "known_hosts" into the trash. However, that will forget the signatures of all the servers you have connected to. So a more refined method would be to delete just the signature that is affected.  Here's how to do that.

Drag the "known_hosts" file into the icon for TextEdit.  (Or, control-click/right-click on the icon and choose Open With ▶ TextEdit.) If you have a preferred text editor like BBEdit, SubEthaEdit, TextMate, etc., feel free to use that instead!

Don't Panic! This file is not meant to be read by mere mortals, so it's going to look like junk. Look for the host name that you are trying to replace — the server that was giving you trouble.  It will be at the beginning of a line.

Triple-click to select that entire line — the host followed by the unreadable stuff. Delete that line.

Save the file.

Now you should be able to connect to the host!