5

BizTalk sees thumbprint for an internal SFTP test as ssh-rsa 2048 33:88:f0:ff:63:78:a9:2b:3f:09:cb:05:81:db:59:86

WinSCP shows: ssh-ed25519 256 ff:2e:5e:33:7a:15:de:69:18:cf:82:ae:f0:4e:7b:d2 (when I click "Session", then "Server/Protocol Information")

Is it possible to convert one to the other? Is it possible to get the ssh-rsa thumbprint from WinSCP, PuTTY or some other tool?

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
NealWalters
  • 17,197
  • 42
  • 141
  • 251

2 Answers2

5

WinSCP uses Ed25519 host key. It's a different key, than the RSA host key used by BizTalk. You cannot convert one to another.

WinSCP defaults to Ed25519 hostkey as that's preferred over RSA. You can only make WinSCP use RSA using raw session settings HostKey.

Alternativelly, if you can connect with SSH terminal (e.g. PuTTY) to the server, use ssh-keygen to display a fingerprint of the RSA host key:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

(this assumes common *nix server with OpenSSH)

Note that this makes sense only, if you had verified the host key, that the SSH terminal uses, upfront.

See WinSCP FAQ on Where do I get SSH host key fingerprint to authorize the server?, which covers all this.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
4
ssh-rsa 2048 33:88:f0:ff:63:78:a9:2b:3f:09:cb:05:81:db:59:86

and 

ssh-ed25519 256 ff:2e:5e:33:7a:15:de:69:18:cf:82:ae:f0:4e:7b:d2

Are same fingerprint types, but different key types (one is RSA and the other ED25519 -- elliptic curve). There is no way one to the other, because they are fingerprints of different keys.

Jakuje
  • 24,773
  • 12
  • 69
  • 75
  • Do you have any reference to help me read up more? There is only one private key, right? But it can have different fingerprints for each type of communication or what? – NealWalters May 15 '17 at 17:17
  • And also, then the only way to get the rsa fingerprint is to connect with rsa, as apparently BizTalk does and WinSCP does not? – NealWalters May 15 '17 at 17:19
  • No. Server usually has more host keys (private keys) of different types (RSA, DSA, ECDSA, ED25519). Each of them has a connected public key and the fingerprint is computed from it. For longer reading, the SSH protocol architecture and RFCs is a good start: https://www.openssh.com/specs.html – Jakuje May 15 '17 at 17:19
  • It is the other way round. WinSCP talks using Ed25519, but BizTalk does not so it fallbacks to RSA, but you should be able to force it to use RSA – Jakuje May 15 '17 at 17:20
  • 2
    Ok. It looks like it is not possible to configure WinSCP, so the easiest way to get the host keys of server is to use `ssh-keyscan server | ssh-keygen -l -f - -E md5` from linux. The first part lists the server public keys and the second converts them to the fingerprint, which you can compare with the fingerprints you already have. but note that they are transfered over insecure network and therefore might be compromised. If you want to be sure you are connecting to the correct server, get the fingerprints directly from the server owner/administrator! – Jakuje May 15 '17 at 19:18