Your browser does not allow storing cookies. We recommend enabling them.


Notifying the Users of Host Key Changes

Administrators that have other users connecting to their server should notify the users of any host key changes. The users will receive a warning the next time they connect because the host key the users have saved on their disk for your server does not match the host key now being actually provided by your server. The users may not know how to respond to this warning. Tectia Manager (available separately) provides an automatic mechanism for distributing the host keys.

You can run ssh-keygen-g3 to calculate the fingerprint of your new public host key and you can provide the fingerprint to your users via some unalterable method (for example, by a digitally signed e-mail or by displaying the fingerprint on a secured bulletin board).

On Unix, the command for calculating the fingerprint is:

# ssh-keygen-g3 -F

On Windows, the command is:

ssh-keygen-g3.exe -F

When the users connect and receive the error message about the host key having changed, they can compare the fingerprint of the new key with the fingerprint you have provided in your e-mail, and ensure that they are connecting to the correct Tectia Server. Inform your users to notify you if the fingerprints do not match, or if they receive a message about a host key change and do not receive a corresponding message from you notifying them of the change.

This procedure can help ensure that you do not become a victim of a man-in-the-middle attack, as your users will notify you if the host key fingerprints do not match.

It is also possible to send the public host key to the users via an unalterable method. The users can save the key in the $HOME/.ssh2/hostkeys directory on Unix or in the %APPDATA%\SSH\HostKeys directory on Windows as key_<port>_<host>.pub (for example, In this case, a manual fingerprint check is not needed. Tectia Manager can distribute the host keys automatically.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more