PuTTY Warning: The server's host key does not match the one PuTTY has cached in the registry
up vote
3
down vote
favorite
When using PuTTY connect to a new host, I often get the warning
The server's host key does not match the one PuTTY has cached in the
registry.
after I press
Yes
PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.
I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.
Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?
And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?
linux ssh putty
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
asked Apr 5 at 14:50
Junchen Liu
1205
add a comment |
up vote
3
down vote
favorite
When using PuTTY connect to a new host, I often get the warning
The server's host key does not match the one PuTTY has cached in the
registry.
after I press
Yes
PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.
I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.
Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?
And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?
linux ssh putty
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
asked Apr 5 at 14:50
Junchen Liu
1205
1
You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
When using PuTTY connect to a new host, I often get the warning
The server's host key does not match the one PuTTY has cached in the
registry.
after I press
Yes
PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.
I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.
Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?
And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?
linux ssh putty
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
asked Apr 5 at 14:50
Junchen Liu
1205
When using PuTTY connect to a new host, I often get the warning
The server's host key does not match the one PuTTY has cached in the
registry.
after I press
Yes
PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.
I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.
Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?
And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?
linux ssh putty
linux ssh putty
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
asked Apr 5 at 14:50
Junchen Liu
1205
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
asked Apr 5 at 14:50
Junchen Liu
1205
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
edited Nov 26 at 10:39
Martin Prikryl
10.7k43173
10.7k43173
asked Apr 5 at 14:50
Junchen Liu
1205
asked Apr 5 at 14:50
Junchen Liu
1205
asked Apr 5 at 14:50
Junchen Liu
1205
1205
1
You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56
add a comment |
1
You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56
1
1
You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56
You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56
add a comment |
2 Answers
2
active
oldest
votes
up vote
4
down vote
accepted
Generally you should be very cautious when you get
WARNING - POTENTIAL SECURITY BREACH!
The server's host key does not match the one PuTTY has cached in the registry.
It's an indication of MITM attack.
See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).
You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.
It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.
The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).
The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).
Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.
See my article on Understanding SSH key pairs.
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
1
Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01
add a comment |
up vote
1
down vote
I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess
Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys
also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?
The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh
answered Apr 5 at 15:03
heavyd
49.9k12122155
It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05
can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53
that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54
@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
accepted
Generally you should be very cautious when you get
WARNING - POTENTIAL SECURITY BREACH!
The server's host key does not match the one PuTTY has cached in the registry.
It's an indication of MITM attack.
See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).
You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.
It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.
The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).
The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).
Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.
See my article on Understanding SSH key pairs.
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
1
Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01
add a comment |
up vote
4
down vote
accepted
Generally you should be very cautious when you get
WARNING - POTENTIAL SECURITY BREACH!
The server's host key does not match the one PuTTY has cached in the registry.
It's an indication of MITM attack.
See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).
You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.
It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.
The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).
The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).
Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.
See my article on Understanding SSH key pairs.
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
1
Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01
add a comment |
up vote
4
down vote
accepted
up vote
4
down vote
accepted
Generally you should be very cautious when you get
WARNING - POTENTIAL SECURITY BREACH!
The server's host key does not match the one PuTTY has cached in the registry.
It's an indication of MITM attack.
See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).
You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.
It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.
The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).
The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).
Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.
See my article on Understanding SSH key pairs.
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
Generally you should be very cautious when you get
WARNING - POTENTIAL SECURITY BREACH!
The server's host key does not match the one PuTTY has cached in the registry.
It's an indication of MITM attack.
See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).
You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.
It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.
The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).
The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).
Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.
See my article on Understanding SSH key pairs.
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
edited Apr 5 at 15:15
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
answered Apr 5 at 15:01
Martin Prikryl
10.7k43173
10.7k43173
1
Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01
add a comment |
1
Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01
1
1
Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01
Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01
add a comment |
up vote
1
down vote
I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess
Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys
also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?
The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh
answered Apr 5 at 15:03
heavyd
49.9k12122155
It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05
can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53
that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54
@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39
add a comment |
up vote
1
down vote
I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess
Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys
also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?
The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh
answered Apr 5 at 15:03
heavyd
49.9k12122155
It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05
can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53
that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54
@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39
add a comment |
up vote
1
down vote
up vote
1
down vote
I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess
Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys
also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?
The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh
answered Apr 5 at 15:03
heavyd
49.9k12122155
I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess
Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys
also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?
The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh
answered Apr 5 at 15:03
heavyd
49.9k12122155
answered Apr 5 at 15:03
heavyd
49.9k12122155
answered Apr 5 at 15:03
heavyd
49.9k12122155
answered Apr 5 at 15:03
heavyd
49.9k12122155
49.9k12122155
It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05
can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53
that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54
@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39
add a comment |
It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05
can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53
that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54
@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39
It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05
It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05
can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53
can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53
that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54
that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54
@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39
@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1311084%2fputty-warning-the-servers-host-key-does-not-match-the-one-putty-has-cached-in%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56