5

When using PuTTY connect to a new host, I often get the warning

The server's host key does not match the one PuTTY has cached in the registry.

after I press

Yes

PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.

I know the RSA key comes as pairs, both public and private. What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.

Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?

And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?

Improve this question
1
  • 1
    You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right?
    – Vomit IT - Chunky Mess Style
    Commented Apr 5, 2018 at 14:56

4 Answers 4

Reset to default
5

Generally you should be very cautious when you get

WARNING - POTENTIAL SECURITY BREACH!

The server's host key does not match the one PuTTY has cached in the registry.

It's an indication of MITM attack.

See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).

You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.

It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.

The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).

The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).

Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.

See my article on Understanding SSH key pairs.

Improve this answer
1
  • 1
    Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!!
    – Vomit IT - Chunky Mess Style
    Commented Apr 5, 2018 at 16:01
2

I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess

Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?

The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh

Improve this answer
4
  • 1
    It's not thumbprint that is cached. It's a complete public key.
    – Martin Prikryl
    Commented Apr 5, 2018 at 15:05
  • can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is
    – Junchen Liu
    Commented Apr 5, 2018 at 17:53
  • that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that
    – Junchen Liu
    Commented Apr 5, 2018 at 17:54
  • 1
    @JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately.
    – Martin Prikryl
    Commented Apr 5, 2018 at 18:39
1

If you sure that it's not a MITM attack or some other security breach, you can use plink to update the key, e.g.

plink [email protected]

It will prompt with a WARNING - POTENTIAL SECURITY BREACH! message and offer the option to update the cached key. No need to fiddle in the Windows registry yourself...

Improve this answer
1

Run the following command

ssh -T [email protected]

It will give you a warning message similar to the following, and remove the offending key from the known_hosts file.

Warning: The ECDSA host key for 'github.com' differs from the key for the IP address '140.82.112.4'

  • Offending key for IP in ~/.ssh/known_hosts:11
  • Matching host key in ~/.ssh/known_hosts:15
  • Are you sure you want to continue connecting (yes/no)

Note:

  • Repeat until all Offending Keys are removed.
  • Pageant (PuTTY Authentication Agent) may need to be restarted

See also: https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .