Where do I get SSH host key fingerprint to authorize the server?

You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus being able to verify it is an integral part of securing an SSH connection. It prevents man-in-the-middle attacks.

In the real world, most administrators do not provide the host key fingerprint.

Instead you can ask anyone else who has a physical access to the server or who already knows the host key. The host key is only one and hence the same for all users. Also note that the host key fingerprint is generated from a public key part of the host key only. So it is not secret and can be safely sent over unencrypted (yet trusted) communication channels.

If you do not have anyone else to obtain the fingerprint from, you may need to connect to the server without knowing the fingerprint. Before connecting for the first time, ensure a security of your local machine and a line to the server. For example if you plan to connect to the server from an external site (e.g. from home or a client), but you have a physical access to the server site, connect from the server site the first time (e.g. your workplace).

Once you connect, WinSCP caches the fingerprint and will ensure, that the key is unchanged every time you connect later on.

If you need to know the fingerprint later on for other purposes, like to verify the host key on another machine, or for automation, go to a Server and Protocol Information Dialog. See a Server Host key Fingerprint box.

If you already have the host key cached in the PuTTY SSH client, you can import a PuTTY stored session to WinSCP, including the cached host keys. Make sure the Import cached host keys for checked sites option is checked when importing the sessions.

You can also have the fingerprint displayed in an SSH terminal using ssh-keygen command (on *nix servers that use OpenSSH server). For example:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

To display all available host keys, you can use:

for f in /etc/ssh/ssh_host_*_key; do ssh-keygen -l -f "$f"; done

OpenSSH 6.8 and newer shows SHA-256 fingerprint by default. Older versions use MD5 fingerprint.

-----BEGIN SSH HOST KEY KEYS----- ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKL8MDSo7u3qQgoTSyDrVEGAvnjDg6tIruQ4v81TNiFNK/3e97HDygbJuEHooA+jjyeqdkTOISu2GWjtm7BucS4= root@mariadb-103 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFnage2tdOu7uMCZkF79ntKBfi56ndWbYjfEHtPrQKsc root@mariadb-103 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9h+IZ6w8HVq93GrtRbeo9ixXY+Cwj+ZwF0cae/2aJl2IHEuwWZpwbSBEU2PIytzU+Pyjli/Z6nDb5K7n3SkgxwV9YKXFY225K6XVfdTLo/IkMtrso4uTp10hBJcCojWARmzqEigGo3dl8fXI8241rI75GBGgGDxnRurc9wAqKd6DCkUUdRyjKQBOFREjqzInMs8T03kNV8lxfZxKdcUEOlD/lspvPbinT5j8ko04kD2j9r5gNNrYM77q9+tvFyC97sHpeY7f54cGntgbGSkyN0hBYR9IALPr5uaIOgP1kBsJKmvlOGjGZHEQzH8I7ghIuhIwQW5+POF9NMU6t5d root@mariadb-103 -----END SSH HOST KEY KEYS-----

If you already have verified the host key for your GUI session, go to a Server and Protocol Information Dialog and see a Server Host key Fingerprint// box. You can have WinSCP generate the script or code for you, including the -hostkey switch or SessionOptions.SshHostKeyFingerprint property.

In exceptional situations, when security is not required, such as when connecting within a trusted private network, you can use -hostkey=* or SessionOptions.GiveUpSecurityAndAcceptAnySshHostKey to blindly accept any host key.

If you want to allow a user to manually verify the host key, use the Session.ScanFingerprint method to retrieve the key fingerprint. Then let the user to verify it and assign the verified value to the SessionOptions.SshHostKeyFingerprint property. For an example of an implementation see Implementing SSH host key cache (known hosts).