SSH HostKey Fingerprint, ED25519 vs RSA
Hello Martin and WinSCP Support,
I have a question related to the fact that one of my SFTP connections, their SFTP site, SSH HostKey Fingerprint changed, from RSA to ED25519.
I have gone to your page for review: https://winscp.net/eng/docs/faq_hostkey and understand this setting, and always add it to my automation scripts, to make sure I'm connecting to the correct server.
I also use your .NET Assembly in this fashion.
My .NET assembly script started failing, with escalation, Windows error results:
My questions in this case are the following:
Thanks,
Joe P.
I have a question related to the fact that one of my SFTP connections, their SFTP site, SSH HostKey Fingerprint changed, from RSA to ED25519.
I have gone to your page for review: https://winscp.net/eng/docs/faq_hostkey and understand this setting, and always add it to my automation scripts, to make sure I'm connecting to the correct server.
I also use your .NET Assembly in this fashion.
My .NET assembly script started failing, with escalation, Windows error results:
After these errors, I brought up this connection with the WinSCP GUI, and reviewed it, verifying the new key seems to connect me to the proper site, and I noticed when I did that, without accepting it to overwrite anything, that the new key "ED25519" now shows up in my Windows "Current User" registry, as the default, for this SFTP site, and I no longer get the escalation that the SSH HostKey Fingerprint is the incorrect one.Host key does not match configured key "ssh-rsa 2048 <OLD RSA KEY>"!
Host key fingerprint is ssh-ed25519 256 <NEW or Temporary ED25519 KEY>.
Authentication failed.
My questions in this case are the following:
- If an SFTP site that does not appear to publish their SSH HostKey Fingerprint on their SFTP server, changes suddenly, from RSA to ED25519, is this something that is commonplace, and should not be questioned with that user's SFTP site?
- On the .NET Assembly, in such a situation, after the Windows Registry has been updated to know about the new key, will it allow this connectivity even though we set the SSH HostKey Fingerprint expected, to be the previous value?
- In the similar vein, on our automation script file we build, which will give the value for the RSA key:
open sftp://<UN>:<PW>@<SFTP SITE>:22 -hostkey="ssh-rsa 2048 <OLD RSA KEY>"
Thanks,
Joe P.