Warning – Potential security breach!

This message, followed by “The server’s host key does not match the one WinSCP has in cache”, means that WinSCP has connected to the SSH server before, knows what its host key should be, but has found a different one.

You might also get the message, when you have configured WinSCP to trust a certification authority for signing host keys but the actual host key is signed by a different authority. For this scenario follow further below.


Plain Host key

The message may mean that a malicious attacker has replaced your server with a different one, or has redirected your network connection to their own machine. On the other hand, it may simply mean that the administrator of your server has accidentally changed the key while upgrading the SSH software; this shouldn’t happen but it is unfortunately possible. Another legitimate reason for the host key change is that the address, you are connecting to, load balances to a set of SSH servers. If that’s the case, select Add to build a list of known host keys, instead of using Update.

You should contact your server’s administrator and see whether they expect the host key to have changed. If so, verify the new host key in the same way as you would if it was new.1

Read more about verifying host keys.

Certified Host key

If you’ve configured WinSCP to trust at least one certification authority for signing host keys, then it will ask the SSH server to send it any available certified host keys. If the server sends back a certified key signed by a different certification authority, WinSCP will present this variant of the host key prompt.

One reason why this can happen is a deliberate attack. Just like an ordinary man-in-the-middle attack which substitutes a wrong host key, a particularly ambitious attacker might substitute an entire wrong certification authority, and hope that you connect anyway.

But it’s also possible in some situations that this error might arise legitimately. For example, if your organisation’s IT department has just rolled out a new CA key which you haven’t yet entered in WinSCP’s configuration, or if your CA configuration involves two overlapping domains, or something similar.


So, unfortunately, you’ll have to work out what to do about it yourself: make an exception for this specific case, or abandon this connection and install a new CA key before trying again (if you’re really sure you trust the CA), or edit your configuration in some other way, or just stop trying to use this server.

If you’re convinced that this particular server is legitimate even though the CA is not one you trust, WinSCP will let you cache the certified host key, treating it in the same way as an uncertified one. Then that particular certificate will be accepted for future connections to this specific server, even though other certificates signed by the same CA will still be rejected.1

  1. The text is copy of PuTTY User Manual or was inspired by it.Back

Last modified: by martin