- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
Hi Experts,
We have an issue when doing backup to SCP server.
1. At the beginning we use RSA public key. But now we need to use ECDSA public key.
2. I uploaded the ssh_host_ecdsa_key.pub file from SSH server, and use the command
add ssh hba hostname x.x.x.x public-key access-mode standalone file /home/admin/ssh_host_ecdsa_key.pub
"show ssh hba all " I can see the key is there. (I removed the RSA one, and can't see it anymore)
3. But when I am going to connect the server, it shows the error:
ERR_HOST_BASED_AUTH: Security issue detected.
Remote server identity has changed since last connection.
This means that either the host key has changed, or attackers are trying to steal Gaia backup (man-in-the-middle attack).
The type and fingerprint of the host key sent by the server are 'ecdsa-sha2-nistp256 pTLT*******2ADuzm**********************LYR9k7jU/S0'.
If you trust this identity, set correct host key using the command 'set ssh hba'.
For more details, please refer to sk164234.
I checked on the SSH server by
ssh-keygen -lf C:\ProgramData\ssh\ssh_host_ecdsa_key.pub
256 SHA256:pTLT*******2ADuzm**********************LYR9k7jU/S0 nt authority\[email protected] (ECDSA)
The public key is the same as in the error message.
It looks Gaia still has the cached fingerprint for previous RSA pub key's fingerprint and won't accept the new one.
I tried
set ssh hba known-host x.x.x.x public-key access-mode standalone file /home/admin/ssh_host_ecdsa_key.pub
looks failed to set the new fingerprint:
NMHOST9999 libdb_do_transaction: connection closed during operation
Unfortunately I can't see the sk164234 , could someone let me know how to remove the previous fingerprint for RSA connection to the server?
Thanks very much
delete ssh hba known-host <HOSTNAME> ?
Thanks very much,
Actually the command you mentioned didn't work:
delete ssh hba known-host x.x.x.x known-key-type ssh-rsa known-key-fingerprint 9VxwL/2fRsoso******************N5QTAV3MCc
It still prompted the same error. I believe it only remove the know host x.x.x.x (the same as "delete ssh hba known-host x.x.x.x"), there is still other place which stored the old fingerprint
below is my solution:
I just used the ssh-keygen -If key.pub to find out the old fingerprint, as I have already deleted from Gaia, I need to find out in our SSH server.
and then use the below command to modify it and it looks working
add ssh hba hostname 10.217.201.37 public-key access-mode online fingerprint pTLT*****mLYR9k7jU/S0
But I am not sure if there is any impact?
Let me check it shortly and will update you.
delete ssh hba known-host <HOSTNAME> ?
That looks right. This is more less the same
delete ssh hba known-host <HOSTNAME> [known-key-type <KEY_TYPE>] [known-key-fingerprint <SHA256_FINGERPRINT>]
Difference is that yours deletes one entry and mine all of a given remote host.
Or better said yours shows all possible options and mine just one to delete all of a remote host.
Correct. I just gave an example from the sk @George136905 referenced.
Thanks very much,
Actually the command you mentioned didn't work:
delete ssh hba known-host x.x.x.x known-key-type ssh-rsa known-key-fingerprint 9VxwL/2fRsoso******************N5QTAV3MCc
It still prompted the same error. I believe it only remove the know host x.x.x.x (the same as "delete ssh hba known-host x.x.x.x"), there is still other place which stored the old fingerprint
below is my solution:
I just used the ssh-keygen -If key.pub to find out the old fingerprint, as I have already deleted from Gaia, I need to find out in our SSH server.
and then use the below command to modify it and it looks working
add ssh hba hostname 10.217.201.37 public-key access-mode online fingerprint pTLT*****mLYR9k7jU/S0
But I am not sure if there is any impact?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 70 | |
| 23 | |
| 7 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Tue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY