topic SCP certificate key in Firewall and Security Management

SCP certificate key

George136905 — Tue, 02 Dec 2025 06:33:29 GMT

Hi Experts,

We have an issue when doing backup to SCP server.

1. At the beginning we use RSA public key. But now we need to use ECDSA public key.

2. I uploaded the ssh_host_ecdsa_key.pub file from SSH server, and use the command

add ssh hba hostname x.x.x.x public-key access-mode standalone file /home/admin/ssh_host_ecdsa_key.pub

"show ssh hba all " I can see the key is there. (I removed the RSA one, and can't see it anymore)

3. But when I am going to connect the server, it shows the error:

ERR_HOST_BASED_AUTH: Security issue detected.
Remote server identity has changed since last connection.
This means that either the host key has changed, or attackers are trying to steal Gaia backup (man-in-the-middle attack).
The type and fingerprint of the host key sent by the server are 'ecdsa-sha2-nistp256 pTLT*******2ADuzm**********************LYR9k7jU/S0'.
If you trust this identity, set correct host key using the command 'set ssh hba'.
For more details, please refer to sk164234.

I checked on the SSH server by

ssh-keygen -lf C:\ProgramData\ssh\ssh_host_ecdsa_key.pub
256 SHA256:pTLT*******2ADuzm**********************LYR9k7jU/S0 nt authority\system@companya.com (ECDSA)

The public key is the same as in the error message.

It looks Gaia still has the cached fingerprint for previous RSA pub key's fingerprint and won't accept the new one.

I tried

set ssh hba known-host x.x.x.x public-key access-mode standalone file /home/admin/ssh_host_ecdsa_key.pub

looks failed to set the new fingerprint:
NMHOST9999 libdb_do_transaction: connection closed during operation

Unfortunately I can't see the sk164234 , could someone let me know how to remove the previous fingerprint for RSA connection to the server?

Thanks very much

Re: SCP certificate key

the_rock — Tue, 02 Dec 2025 15:52:41 GMT

Let me check it shortly and will update you.

Re: SCP certificate key

Vincent_Bacher — Tue, 02 Dec 2025 15:56:02 GMT

delete ssh hba known-host <HOSTNAME> ?

Re: SCP certificate key

the_rock — Tue, 02 Dec 2025 15:58:09 GMT

That looks right. This is more less the same

delete ssh hba known-host <HOSTNAME> [known-key-type <KEY_TYPE>] [known-key-fingerprint <SHA256_FINGERPRINT>]

Re: SCP certificate key

Vincent_Bacher — Tue, 02 Dec 2025 17:05:47 GMT

Difference is that yours deletes one entry and mine all of a given remote host.

Or better said yours shows all possible options and mine just one to delete all of a remote host.

Re: SCP certificate key

the_rock — Tue, 02 Dec 2025 17:08:36 GMT

Correct. I just gave an example from the sk @George136905 referenced.

Re: SCP certificate key

George136905 — Fri, 05 Dec 2025 01:01:49 GMT

Thanks very much,

Actually the command you mentioned didn't work:

delete ssh hba known-host x.x.x.x known-key-type ssh-rsa known-key-fingerprint 9VxwL/2fRsoso******************N5QTAV3MCc

It still prompted the same error. I believe it only remove the know host x.x.x.x (the same as "delete ssh hba known-host x.x.x.x"), there is still other place which stored the old fingerprint

below is my solution:

I just used the ssh-keygen -If key.pub to find out the old fingerprint, as I have already deleted from Gaia, I need to find out in our SSH server.

and then use the below command to modify it and it looks working

add ssh hba hostname 10.217.201.37 public-key access-mode online fingerprint pTLT*****mLYR9k7jU/S0

But I am not sure if there is any impact?