This is an old revision of the document!

Where do I get SSH host key fingerprint to authorize the server?

Host key fingerprint is an integral part of session information

You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus being able to verify it is an integral part of securing an SSH connection. It prevents man-in-the-middle attacks.

Advertisement

Safely obtaining host key

In the real world, most administrators do not provide the host key fingerprint.

Instead you can ask anyone else with a physical access to the server. The host key is only one and hence the same for all users. Also note that the host key fingerprint is generated from a public key part of the host key only. So it is not secret and can be safely sent over an unencrypted (yet trusted) communication channels.

If you do not have anyone else to obtain the fingerprint from, you may need to connect to the server without knowing the fingerprint. Before connecting for the first time, ensure a security of your local machine and a line to the server. For example if you plan to connect to the server from an external site (e.g. from home or a client), but you have a physical access to the server site, connect from the server site the first time (e.g. your workplace).

Once you connect, WinSCP caches the fingerprint and will ensure, that the key is unchanged every time you connect later on.

If you need to know the fingerprint later on for other purposes, like to verify the host key on another machine, or for automation, go to a Server and Protocol Information Dialog. See a Server Host key Fingerprint box.

Host key of your virtual server

A special case is getting host key of a server, that you are an administrator of yourself, yet you do not have a direct secure line to connect through. This is common for virtual servers or servers in a cloud. In such case a server provider should have a specific solution. For example a specialized server in the same private network as your server, with publicly known host keys. You can connect to this specialized server and from it, securely connect to your server (e.g. using SSH terminal). As you are connecting within private network, you can safely trust any host key. Once connected to your server, acquire its host key. With that you can finally connect directly yet securely over a public network. Alternatively, the server provider can provide the host key via some administrative interface. For example see a solution for Amazon EC2, Google Compute Engine or Microsoft Azure.

Advertisement

Last modified: by martin