When I remove known hosts and root into the server I get
ssh root@staging.domain.com
The authenticity of host 'staging.domain.com (xxx.xxx.x.xxx)' can't be established.
ECDSA key fingerprint is SHA256:rrOwnKUvZ825dQKvm93QClAedbcnAvbN9mUCLdQ8FE8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'staging.domain.com,xxx.xxx.x.xxx' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-103-generic x86_64)
and then on trying to provision I get
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
If this change in host keys is expected (e.g., if you rebuilt the server
or if the Trellis sshd role made changes recently), then run the following
command to clear the old host key from your known_hosts.
ssh-keygen -R xxx.xxx.x.xxx
Then try your Trellis playbook or SSH connection again.
If the change is unexpected, cautiously consider why the host identification
may have changed and whether you may be victim to a man-in-the-middle attack.
---------------------------------------------------
The fingerprint for the ED25519 key sent by the remote host is
SHA256:OjjAsHwOui3Ql1XN+VQBNIB/dR9zgU60rrH4oHl8SnM.
Add correct host key in /Users/jasper/.ssh/known_hosts to get rid of this
message.
Offending ECDSA key in /Users/jasper/.ssh/known_hosts:84
ED25519 host key for xxx.xxx.x.xxx has changed and you have requested strict
checking.
Host key verification failed.
fatal: [xxx.xxx.x.xxx]: FAILED! => {
"changed": false,
"failed": true
}
So it seems there are two different fingerprints… very odd… And when I accept if for root and try to provision again post ssh-keygen -R xxx.xxx.x.xxx I get to hear access is denied as the earlier post showed.
Also , in the auth.log I saw Dec 27 07:49:12 domain-staging sshd[2013]: input_userauth_request: invalid user admin [preauth]