Avamar: "Man-in-the-middle attack" warnings received

Summary: "Man-in-the-middle attack" warnings are received when trying to connect to an Avamar node using SSH.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

When trying to log in to an Avamar node using SSH, the following error appears:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
e2:**:**:**:05:c9:c8:72:c9:f5:e1:**:**.
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending key in /home/admin/.ssh/known_hosts:5
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,*****-with-mic,password).

Cause

This is a security message warning of man-in-the-middle attacks.

This warning may occur for the following reasons:
  • Man-in-the-middle attack
  • The RSA key on the destination node has been changed
 
The RSA key may have changed because:
  • The hardware has been changed (for example, a node transplant)
  • The hostname has changed
  • RSA keys have been regenerated

Resolution

Warning: If there is no known reason why the RSA keys have been changed, then the security of the network must be checked.
 
 

Only if the reason that the RSA keys have changed is known, remove the old RSA key from the known_hosts file on the originating node:
(This is likely the Avamar Utility Node.)

1. Backup the existing known_hosts file:

cp -p /home/admin/.ssh/known_hosts  /home/admin/.ssh/known_hosts.`date +%y%m%d`
 

2. Remove the old RSA key:

Example: If connecting from "Avamar-Util1" to "Avamar-Storage3" and the warning above is received, run the following command on "Avamar-Util1":

ssh-keygen -R Avamar-Storage3
 

Expected output:

Avamar-Storage3 found: line 5
/home/admin/.ssh/known_hosts updated.
Original contents retained as /home/admin/.ssh/known_hosts.old
 

If the following error is received, verify the name of the RSA key (The entry in known_hosts could be the IP Address or Fully Qualified Domain Name (FQDN)).

ssh-keygen -R Avamar-Storage3
Host Avamar-Storage3 not found in /home/admin/.ssh/known_hosts
 

3. Attempt to log in again.

The following should be seen during the first login attempt:

Avamar-Storage3,10.x.x.4' (ECDSA) to the list of known hosts

Affected Products

Avamar, Avamar Server
Article Properties
Article Number: 000037799
Article Type: Solution
Last Modified: 30 Sept 2025
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.