This message appears when WinSCP connects to a new SSH server. Every server identifies itself by means of a host key; once WinSCP knows the host key for a server, it will be able to detect if a malicious attacker redirects your connection to another machine.
If you see this message, it means that WinSCP has not seen this host key before, and has no way of knowing whether it is correct or not. You should attempt to verify the host key by other means, such as asking the machine’s administrator. 1
If the host key fingerprint is correct, press Accept (Yes in the latest stable version). The host key will be stored to cache and you will not be prompted the next time. If you are unsure, want to defer a host key verification until later, but still need to connect now (taking a risk), select Connect Once in the down-menu of the Accept button (No button in the stable version). The host key will not be cached and you will be prompted again the next time. If the fingerprint is not correct or if you do not know the correct fingerprint, press Cancel to abort connection.
If you have the correct host key (or its fingerprint) in a digital form, instead of checking the fingerprint manually, you can select Paste Key in drop-down menu of Accept (Yes) button to have WinSCP compare the fingerprint for you, against a fingerprint or a full key stored in the clipboard. The clipboard can contain an SHA-256 or MD5 fingerprint or a full key in
Use Copy key fingerprints to clipboard link to copy key fingerprints to clipboard (both in SHA-256 format seen on the message and additionally in MD5 format).
Read more about verifying host keys.
Learn also how to accept host key automatically in script.