@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:gEFs4gmKdgDsV2n3UhB/lNhZ/sLSM8q+5VIbl+D1S3c.
Please contact your system administrator.
Add correct host key in /dev/null to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:8
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
This is not a normal ssh error that can be fixed by editing ~/.ssh/known_hosts and removing the relevant key entries or by using the command ssh-keygen -f ~/.ssh/known_hosts -R <host>. If you try to do it, the key will come back and ends up with the same error.
Another option that we are tempted to try is to remove the offending key from /var/lib/sss/pubconf/known_hosts. This also will end in failure
Most probably this error occurs when the server was part of IPA setup and you just re-installed the server without removing the relevant configuration from the IPA server.In this case IPA server will still have the keys associated with the server before it got re-installed and we have to first remove the keys from the IPA server.
You can do that from the IPA Identity Management Web UI by browsing to Hosts--> <yourhostname> -->Settings. Now scroll down to the SSH Public keys section and then remove the keys and save it.
Now you should be able to login to your server using ssh as usual.