This is an old revision of the document!
Where do I get SSH host key fingerprint to authorize the server?
Obtaining host key from PuTTY
If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the Import cached host keys for checked sites option is checked when importing the sessions.
Advertisement
You can also have the fingerprint displayed in an SSH terminal using ssh-keygen
command (on *nix servers using OpenSSH server):
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
Host key of your virtual server
A special case is getting host key of a server, that you are an administrator of yourself, yet you do not have a direct secure line to connect through. This is common for virtual servers or servers in a cloud. In such case a server provider should have a specific solution. For example a specialized server in the same private network as your server, with publicly known host keys. You can connect to this specialized server and from it, securely connect to your server (e.g. using SSH terminal). As you are connecting within private network, you can safely trust any host key. Once connected to your server, acquire its host key. With that you can finally connect directly yet securely over a public network. Alternatively, the server provider can provide the host key via some administrative interface. For example see a solution for Amazon EC2, Google Compute Engine or Microsoft Azure.
Automatic host key verification
When writing a WinSCP script or code using WinSCP .NET assembly, use the same methods as described previously to obtain the host key.
In scripting specify the expected fingerprint using -hostkey
switch of an open
command. With .NET assembly, use SessionOptions.SshHostKeyFingerprint
property.
If you already have verified the host key for your GUI session, go to a Server and Protocol Information Dialog and see a Server Host key Fingerprint box. You can have WinSCP generate the script or code for you, including the -hostkey
switch or SessionOptions.SshHostKeyFingerprint
property.
Advertisement
In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use -hostkey=*
or SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey
to blindly accept any host key.
If you want to allow a user to manually verify the host key, use the Session.ScanFingerprint
method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the SessionOptions.SshHostKeyFingerprint
property.