PuTTY Warning: The server's host key does not match the one PuTTY has cached in the registry











up vote
3
down vote

favorite
1












When using PuTTY connect to a new host, I often get the warning




The server's host key does not match the one PuTTY has cached in the
registry.




after I press




Yes




PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.



I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.



Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?



And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?










share|improve this question




















  • 1




    You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
    – Pimp Juice IT
    Apr 5 at 14:56















up vote
3
down vote

favorite
1












When using PuTTY connect to a new host, I often get the warning




The server's host key does not match the one PuTTY has cached in the
registry.




after I press




Yes




PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.



I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.



Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?



And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?










share|improve this question




















  • 1




    You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
    – Pimp Juice IT
    Apr 5 at 14:56













up vote
3
down vote

favorite
1









up vote
3
down vote

favorite
1






1





When using PuTTY connect to a new host, I often get the warning




The server's host key does not match the one PuTTY has cached in the
registry.




after I press




Yes




PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.



I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.



Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?



And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?










share|improve this question















When using PuTTY connect to a new host, I often get the warning




The server's host key does not match the one PuTTY has cached in the
registry.




after I press




Yes




PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.



I know the RSA key comes as pairs, both public and private.
What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.



Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?



And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?







linux ssh putty






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 26 at 10:39









Martin Prikryl

10.7k43173




10.7k43173










asked Apr 5 at 14:50









Junchen Liu

1205




1205








  • 1




    You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
    – Pimp Juice IT
    Apr 5 at 14:56














  • 1




    You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
    – Pimp Juice IT
    Apr 5 at 14:56








1




1




You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56




You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
– Pimp Juice IT
Apr 5 at 14:56










2 Answers
2






active

oldest

votes

















up vote
4
down vote



accepted










Generally you should be very cautious when you get




WARNING - POTENTIAL SECURITY BREACH!



The server's host key does not match the one PuTTY has cached in the registry.




It's an indication of MITM attack.



See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).



You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.





It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.





The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).





The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).





Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.



See my article on Understanding SSH key pairs.






share|improve this answer



















  • 1




    Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
    – Pimp Juice IT
    Apr 5 at 16:01




















up vote
1
down vote














I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess




Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys




also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?




The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh






share|improve this answer





















  • It's not thumbprint that is cached. It's a complete public key.
    – Martin Prikryl
    Apr 5 at 15:05












  • can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
    – Junchen Liu
    Apr 5 at 17:53










  • that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
    – Junchen Liu
    Apr 5 at 17:54










  • @JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
    – Martin Prikryl
    Apr 5 at 18:39













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1311084%2fputty-warning-the-servers-host-key-does-not-match-the-one-putty-has-cached-in%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
4
down vote



accepted










Generally you should be very cautious when you get




WARNING - POTENTIAL SECURITY BREACH!



The server's host key does not match the one PuTTY has cached in the registry.




It's an indication of MITM attack.



See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).



You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.





It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.





The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).





The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).





Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.



See my article on Understanding SSH key pairs.






share|improve this answer



















  • 1




    Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
    – Pimp Juice IT
    Apr 5 at 16:01

















up vote
4
down vote



accepted










Generally you should be very cautious when you get




WARNING - POTENTIAL SECURITY BREACH!



The server's host key does not match the one PuTTY has cached in the registry.




It's an indication of MITM attack.



See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).



You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.





It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.





The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).





The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).





Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.



See my article on Understanding SSH key pairs.






share|improve this answer



















  • 1




    Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
    – Pimp Juice IT
    Apr 5 at 16:01















up vote
4
down vote



accepted







up vote
4
down vote



accepted






Generally you should be very cautious when you get




WARNING - POTENTIAL SECURITY BREACH!



The server's host key does not match the one PuTTY has cached in the registry.




It's an indication of MITM attack.



See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).



You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.





It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.





The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).





The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).





Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.



See my article on Understanding SSH key pairs.






share|improve this answer














Generally you should be very cautious when you get




WARNING - POTENTIAL SECURITY BREACH!



The server's host key does not match the one PuTTY has cached in the registry.




It's an indication of MITM attack.



See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).



You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.





It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.





The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).





The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).





Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.



See my article on Understanding SSH key pairs.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 5 at 15:15

























answered Apr 5 at 15:01









Martin Prikryl

10.7k43173




10.7k43173








  • 1




    Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
    – Pimp Juice IT
    Apr 5 at 16:01
















  • 1




    Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
    – Pimp Juice IT
    Apr 5 at 16:01










1




1




Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01






Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
– Pimp Juice IT
Apr 5 at 16:01














up vote
1
down vote














I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess




Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys




also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?




The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh






share|improve this answer





















  • It's not thumbprint that is cached. It's a complete public key.
    – Martin Prikryl
    Apr 5 at 15:05












  • can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
    – Junchen Liu
    Apr 5 at 17:53










  • that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
    – Junchen Liu
    Apr 5 at 17:54










  • @JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
    – Martin Prikryl
    Apr 5 at 18:39

















up vote
1
down vote














I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess




Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys




also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?




The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh






share|improve this answer





















  • It's not thumbprint that is cached. It's a complete public key.
    – Martin Prikryl
    Apr 5 at 15:05












  • can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
    – Junchen Liu
    Apr 5 at 17:53










  • that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
    – Junchen Liu
    Apr 5 at 17:54










  • @JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
    – Martin Prikryl
    Apr 5 at 18:39















up vote
1
down vote










up vote
1
down vote










I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess




Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys




also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?




The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh






share|improve this answer













I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess




Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSshHostKeys




also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?




The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 5 at 15:03









heavyd

49.9k12122155




49.9k12122155












  • It's not thumbprint that is cached. It's a complete public key.
    – Martin Prikryl
    Apr 5 at 15:05












  • can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
    – Junchen Liu
    Apr 5 at 17:53










  • that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
    – Junchen Liu
    Apr 5 at 17:54










  • @JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
    – Martin Prikryl
    Apr 5 at 18:39




















  • It's not thumbprint that is cached. It's a complete public key.
    – Martin Prikryl
    Apr 5 at 15:05












  • can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
    – Junchen Liu
    Apr 5 at 17:53










  • that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
    – Junchen Liu
    Apr 5 at 17:54










  • @JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
    – Martin Prikryl
    Apr 5 at 18:39


















It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05






It's not thumbprint that is cached. It's a complete public key.
– Martin Prikryl
Apr 5 at 15:05














can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53




can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
– Junchen Liu
Apr 5 at 17:53












that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54




that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
– Junchen Liu
Apr 5 at 17:54












@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39






@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
– Martin Prikryl
Apr 5 at 18:39




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1311084%2fputty-warning-the-servers-host-key-does-not-match-the-one-putty-has-cached-in%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Probability when a professor distributes a quiz and homework assignment to a class of n students.

Aardman Animations

Are they similar matrix