IBM Support

QRadar: SSH to host fails with error "No ECDSA host key is known for <Remote Host IP> and you have requested strict checking"



SSH and any application that uses SSH to establish connections such as SCP, SFTP, and RSYNC fails to connect to an unmanaged QRadar appliance with an error such as "ERROR: Host key verification failed". This issue affects procedures such as copying QRadar SFS files to patch a host to match the Console's version before adding the appliance to the deployment.



The SSH connection attempt fails with an error similar to the following:
ERROR: No ECDSA host key is known for <Remote Host IP> and you have requested strict checking.
ERROR: Host key verification failed.

Note: This is a separate issue from the error "ECDSA host key for X.X.X.X has changed and you have requested strict checking." For that error, see QRadar: SSH fails with error "Offending ECDSA key in /root/.ssh/known_hosts:"


When "strict checking" is enforced, the SSH connection requires the host's public key to exist in the /root/.ssh/known_hosts file.
On older versions, the missing key entry generated a warning. The administrator could choose Y to proceed with the connection or abort it.

Resolving The Problem

  1. Log in to the host that is having issues with establishing an SSH connection.
  2. SSH to the remote host while using the option to disable strict checking.
    Note: Do not use this option for future SSH attempts. This option is only used once because it adds the entry in the /root/.ssh/known_hosts file.
    ssh <user>@<Remote Host IP> -o StrictHostKeyChecking=no
    Expected output:
    Warning: Permanently added '<Remove Host IP>  (ECDSA) to the list of known hosts.
    <user>@<Remove Host IP> 's password:
  3. Enter the user password to complete the connection.

    To test whether the issue is resolved, exit the SSH session and attempt to connect again without disabling strict checking. If you still face connection issues, see QRadar: Troubleshooting SSH when connections cannot be established.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
02 June 2023