This error message occurs when WinSCP connects to a new SSH server. Every server identifies itself by means of a host key; once WinSCP knows the host key for a server, it will be able to detect if a malicious attacker redirects your connection to another machine.
If you see this message, it means that WinSCP has not seen this host key before, and has no way of knowing whether it is correct or not. You should attempt to verify the host key by other means, such as asking the machine’s administrator. 1
Both SHA-256 and MD5 fingerprints of the host key are shown. As both fingerprints are for the same key, it is enough to check only one of them. Checking SHA-256 fingerprint is safer though.
If the host key fingerprint is correct, press Yes. The host key will be stored to cache and you will not be prompted the next time. If you are unsure, want to defer a host key verification until later, but still need to connect now (taking a risk), press No. The host key will not be cached and you will be prompted again the next time. If the fingerprint is not correct or if you do not know the correct fingerprint, press Cancel to abort connection.
If you have the correct host key (or its fingerprint) in a digital form, instead of checking the fingerprint manually, you can use Paste Key button (in drop-down menu of Yes button) to have WinSCP compare the fingerprint for you, against a fingerprint or a full key stored in the clipboard. The clipboard can contain an SHA-256 or MD5 fingerprint or a full key in
Use Copy key fingerprints to clipboard link to copy the fingerprints to clipboard.
Read more about verifying host keys.
Learn also how to accept host key automatically in script.