SSH HostKey Fingerprint, ED25519 vs RSA

Advertisement

jpantera
Joined:
Posts:
23
Location:
Los Angeles, CA

SSH HostKey Fingerprint, ED25519 vs RSA

Hello Martin and WinSCP Support,

I have a question related to the fact that one of my SFTP connections, their SFTP site, SSH HostKey Fingerprint changed, from RSA to ED25519.

I have gone to your page for review: https://winscp.net/eng/docs/faq_hostkey and understand this setting, and always add it to my automation scripts, to make sure I'm connecting to the correct server.

I also use your .NET Assembly in this fashion.

My .NET assembly script started failing, with escalation, Windows error results:
Host key does not match configured key "ssh-rsa 2048 <OLD RSA KEY>"!
Host key fingerprint is ssh-ed25519 256 <NEW or Temporary ED25519 KEY>.
Authentication failed.
After these errors, I brought up this connection with the WinSCP GUI, and reviewed it, verifying the new key seems to connect me to the proper site, and I noticed when I did that, without accepting it to overwrite anything, that the new key "ED25519" now shows up in my Windows "Current User" registry, as the default, for this SFTP site, and I no longer get the escalation that the SSH HostKey Fingerprint is the incorrect one.

My questions in this case are the following:
  1. If an SFTP site that does not appear to publish their SSH HostKey Fingerprint on their SFTP server, changes suddenly, from RSA to ED25519, is this something that is commonplace, and should not be questioned with that user's SFTP site?

  2. On the .NET Assembly, in such a situation, after the Windows Registry has been updated to know about the new key, will it allow this connectivity even though we set the SSH HostKey Fingerprint expected, to be the previous value?

  3. In the similar vein, on our automation script file we build, which will give the value for the RSA key:
    open sftp://<UN>:<PW>@<SFTP SITE>:22 -hostkey="ssh-rsa 2048 <OLD RSA KEY>"
That should fail, correct(?), until we update it to use the new ED25519 key?

Thanks,
Joe P.

Reply with quote

Advertisement

jpantera
Joined:
Posts:
23
Location:
Los Angeles, CA

Additional note...

Adding this comment:

I now believe the owner of this SFTP site actually did finally add the RSA key to the site, after several hours where I was getting the afore-mentioned error (That the Key was not the proper one), and not a result of me using the WinSCP GUI and connecting (although the flow of events had originally led me to that conclusion).

In my WinSCP "log" where I'm dumping the log from the WinSCP automation, I do notice that the SFTP site, as WinSCP sees it, went from:
Server version: SSH-2.0-OpenSSH_7.4
to:
Server version: SSH-2.0-OpenSSH_8.7
Also, in the log, I see this before the recent "issue":
Server also has ecdsa-sha2-nistp256 host key, but we don't know it
But afterwards it shows:
Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them
Now the odd part of that...

Prior to this weekend changes, after that entry in the log, the "host Key", even though my open statement with parameter:
-hostkey="ssh-rsa 2048 <KEY>"
That hostkey in the log (prior to the server going to OpenSSH 8.7, and apparently adding "SSH-ed25519") shows:
Host key fingerprint is:
ssh-ed25519 256 <"what I called the NEW KEY Above, Previous Post">
But after the remote host went to OpenSSH 8.7, it now shows the expected RSA Host Key:
Host key fingerprint is:
ssh-rsa 2048 <KEY>
Any comments on this are welcome. My original questions are still valid, as I'm trying to understand what might have happened on this server, to understand why some processes are failing.

- Joe P.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: Additional note...

We cannot know what happened to your server.
You need to ask it s administrator.

Many options are possible. For example ranging from:
  • The server was reinstalled in a non-clean way. At one point, the new server was having new keys. But later the admin restored keys from the old server.
to
  • You were under MITM attack at one poing.

Reply with quote

Advertisement

You can post new topics in this forum