PuTTY Warning: The server's host key does not match the one PuTTY has cached in the registry

4

1

When using PuTTY connect to a new host, I often get the warning

The server's host key does not match the one PuTTY has cached in the registry.

after I press

Yes

PuTTY adds the server RSA key into the Windows 10's registry, and I will be able to login the remote server, and the warning won't appear again.

I know the RSA key comes as pairs, both public and private. What I am trying to understand is which key did the server saved into my local machine, the server's public key I guess.

Also when the PuTTY made the initial SSH connection to the server, how the server decides which key to forward? Assume the server has list of the public keys, is there a generic key for any client trying to make the connections?

And where is this generic key stored on the server? under /root/.ssh/ authorized_keys?

Junchen Liu

Posted 2018-04-05T14:50:17.150

Reputation: 145

1You are talking specifically about "host" keys, right? You are not mixing "host" key with "user" key for key exchange pair needed for user authentication to the SSH server, right? – Pimp Juice IT – 2018-04-05T14:56:26.087

Answers

4

Generally you should be very cautious when you get

WARNING - POTENTIAL SECURITY BREACH!

The server's host key does not match the one PuTTY has cached in the registry.

It's an indication of MITM attack.

See also PuTTY documentation for WARNING - POTENTIAL SECURITY BREACH! (what is the main part of the message, which you somehow omitted in your question).

You never get this message for a new server. Unless, of course, the new server reuses IP address/hostname of some discarded server. In which case, it's ok to ignore the warning.

It is, of course, a public key that is cached by PuTTY. A private key is secret and it must not be accessible to anyone, except for the server administrator. So there's no way SSH client can get it.

The server can indeed have a number of key pairs for different algorithms (one for each algorithm, like RSA, DSA, ECDSA, ED25519). The client and the server will agree on the best algorithm to use (the best out of those supported by both the server and the client).

The key pairs are usually stored in /etc/ssh (on Linux with OpenSSH).

Though wording of your question hints that you may confuse the server/host key pair with the key pair you use to authenticate to the server.

See my article on Understanding SSH key pairs.

Martin Prikryl

Posted 2018-04-05T14:50:17.150

Reputation: 13 764

1Anytime my automated FTP jobs run into this error, it stops, I get notified, and then I reach out to the FTP server admins, etc. and verify that they indeed changed their host key. This is how I handle this specific issue that does happen from time to time per the automation. Nice answer as usual Martin!!! – Pimp Juice IT – 2018-04-05T16:01:16.567

1

I know the rsa key comes as pairs, both public and private what I am trying to understand is which key did the server saved into my local machine, the server's public key I guess

Yes, PuTTY saves the thumbprint of the server's public key. You can see all of the stored keys in the registry under the key: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

also when the putty made the initial SSH connection to the server, how the server decides which key to forward? assume the server has list of the public keys, is there a generic key for any client trying to make the connections? and where is this generic key stored on the server?

The server only has one host key per key type (RSA, DSA, etc.). Where they are stored depends on the configuration, but, for example, default on Ubuntu systems they are usually stored in /etc/ssh

heavyd

Posted 2018-04-05T14:50:17.150

Reputation: 54 755

1It's not thumbprint that is cached. It's a complete public key. – Martin Prikryl – 2018-04-05T15:05:19.283

can I understand it as /etc/ssh/ssh_host_rsa_key.pub is where one of the host key is. and the host key is used for identifying the what the server truly is – Junchen Liu – 2018-04-05T17:53:39.263

that leads to another question, how do I stop the warning to happen when 1st time connecting to it? attach the public key of this server when first time making the connection? and in putty how do I do that – Junchen Liu – 2018-04-05T17:54:51.723

1@JunchenLiu This is Q&A site, not a chat. Accept the answer that best answers your question. And if you have another question, post it separately. – Martin Prikryl – 2018-04-05T18:39:35.533

Asked: 2018-04-05T14:50:17.150

Viewed: 6 578 times

Active: 2018-11-26T10:39:49.363