ssh-keygen -R saying (wrongly) no matches found

I've come across the not-uncommon issue where ssh keys on a host have changed, so they don't match what's saved in my ~/.ssh/known_hosts file. When I connect (in this case via an Ansible playbook), it freaks out with "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!", yada yada yada.

The usual fix for this is to run ssh-keygen -R <host-ip-or-name>, which deletes the offending entry. In this case the host is an ip:port combo, so I tried to run it like this:

ssh-keygen -R [xxx.xxx.xx.xxx]:yyyyy

Instead of updating known_hosts, I get a message returned that says:

zsh: no matches found: [xxx.xxx.xx.xxx]:yyyyy

I tried running it without the port, just in case (ssh-keygen -R xxx.xxx.xx.xxx). That gives a "host not found" error.

What am I doing wrong?


The problem was actually the zsh shell. Given the [xxx.xxx.xx.xxx]:yyyyy syntax, zsh was interpreting the []s as a globbing pattern. That's why I was getting a "zsh: no matches found" error.

In the old Bash shell, this isn't a problem, and the command I gave runs perfectly.

The solution in zsh is to quote the whole hostname, like this:

ssh-keygen -R "[xxx.xxx.xx.xxx]:yyyyy"