Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Host key does not match configured key fingerprint

The server offers a list of host key algorithms it supports to the client (WinSCP). WinSCP picks the best out of those it knows. So if you update all your scripts to use ecdsa-sha2-nistp256 hostkey, WinSCP will always pick the ecdsa-sha2-nistp256 and the problem might go away.
jhoag

Re: Host key does not match configured key fingerprint

I've reported this to WingFTP here: https://bbs.wftpserver.com/viewtopic.php?f=2&t=3648

This suggests they're aware of the issue, but I suppose if they don't fix it I don't have much information to go on. Lets hope they do...and that I won't need to come back asking for more information on how specifically a system knows when to determine to issue a new key based on what is seen coming from WinSCP.
martin

Re: I may have fixed it,

The script that consistently gets the same host key has "ecdsa-sha2-nistp256" key:
open sftp://***/ -hostkey="ecdsa-sha2-nistp256 256 AworpiSy/Pmb+5p5jqSz6BSvdBTHPksclOgooPR72D8=" -rawsettings FSProtocol=2 SendBuf=0 SshSimple=0

While the script that keeps getting different keys has "ssh-rsa" key:
open sftp://***/ -hostkey="ssh-rsa 1024 dKKMr/8HlWtT+KQUf4zWBbAmEW+XpWQ79pqch77IXPA="

The server may have a bug in RSA host key implementation.
jhoag

Re: I may have fixed it,

martin wrote:

jhoag wrote:

Something on the WinSCP client end is causing the server to issue a new key...not sure what condition causes it though?

That's not likely. Are you saying that other SFTP (not FTP) clients get the same host key all the time, while WinSCP not? Do you have logs that show that?


Actually, YES other SFTP (not FTP) clients get and can use the same host key all of the time, but those clients are also ALL using WinSCP. So in this situation, we have multiple WinSCP "clients" (all at the same version) connecting to one single WingFTP Server (https://www.wftpserver.com/), but only ONE particular "client" seems to be getting a totally new Key on a daily basis.

Logs are easy to get. Attached is the WinSCP Log from the server that experiences the issue (ServerGetsNewKey.log), as well as the WinSCP Log from a server that does NOT experience the issue (ServerKeepsKey.log). Assuming that the problem isn't with WinSCP and isn't our WingFTP server itself (I have a case open with them as well), what networking property could exist that would cause this behavior?

In other words, what common network firewall or filter rule would cause the server to be told that a new SSH key exists every morning, and not just every time we connect? The server that's told it has a new key every day, is behind a FortiGate (https://www.fortinet.com/) Stateful Firewall. Is there something specific in this firewall brand that would cause this behavior?
martin

Re: I may have fixed it,

jhoag wrote:

Something on the WinSCP client end is causing the server to issue a new key...not sure what condition causes it though?

That's not likely. Are you saying that other SFTP (not FTP) clients get the same host key all the time, while WinSCP not? Do you have logs that show that?
jhoag

Re: I may have fixed it,

tyntema wrote:

I'll post further if this is still an issue


How did you fix it? I'm having the same problem. The key changes daily, yet the FTP server itself is not configured to issue a new key. Something on the WinSCP client end is causing the server to issue a new key...not sure what condition causes it though?
tyntema

I may have fixed it,

I'll post further if this is still an issue
tyntema

more config info on my servers

We claim version: SSH-2.0-WinSCP_release_5.17.6
. 2020-06-24 15:28:00.565 Remote version: SSH-2.0-Serv-U_15.2.1.446
. 2020-06-24 15:28:00.565 Using SSH protocol version 2
. 2020-06-24 15:28:00.565 Have a known host key of type rsa2
. 2020-06-24 15:28:00.612 Doing ECDH key exchange with curve nistp256 and hash SHA-256
tyntema

Host key does not match configured key fingerprint

Host key does not match configured key fingerprint is the error I get. I've had a job running for awhile. The remote server just changed the SSH key, I added instead of updated the key and now when the job runs via task scheduler, I get the above error.

The job in the task scheduler calls a batch file, that's it.
I replaced the key in the batch file and the batch file transfers the file fine.

It gets an error when the task scheduler runs the (same) batch file. I have done the clean up, poked around the registry (but didn't see the keys) and have spent most of the day looking online.

Please help as to where it is pulling the old key from and how to get rid of it. I'm thinking just re-creating the whole site may be best??

Thanks for any help!