This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George136905
Explorer
‎2025-12-01 10:33 PM
Jump to solution

SCP certificate key

Hi Experts, 

We have an issue when doing backup to SCP server.

1. At the beginning we use RSA public key. But now we need to use ECDSA public key.

 

2. I uploaded the ssh_host_ecdsa_key.pub file from SSH server, and use the command

add ssh hba hostname x.x.x.x public-key access-mode standalone file /home/admin/ssh_host_ecdsa_key.pub

 

"show ssh hba all " I can see the key is there. (I removed the RSA one, and can't see it anymore)

 


3. But when I am going to connect the server, it shows the error:

ERR_HOST_BASED_AUTH: Security issue detected.
Remote server identity has changed since last connection.
This means that either the host key has changed, or attackers are trying to steal Gaia backup (man-in-the-middle attack).
The type and fingerprint of the host key sent by the server are 'ecdsa-sha2-nistp256 pTLT*******2ADuzm**********************LYR9k7jU/S0'.
If you trust this identity, set correct host key using the command 'set ssh hba'.
For more details, please refer to sk164234.

 

I checked on the SSH server by 

ssh-keygen -lf C:\ProgramData\ssh\ssh_host_ecdsa_key.pub
256 SHA256:pTLT*******2ADuzm**********************LYR9k7jU/S0 nt authority\system@companya.com (ECDSA)

The public key is the same as in the error message. 

It looks Gaia still has the cached fingerprint for previous RSA pub key's fingerprint and won't accept the new one.

I tried 

set ssh hba known-host x.x.x.x public-key access-mode standalone file /home/admin/ssh_host_ecdsa_key.pub

looks  failed to set the new fingerprint:
NMHOST9999 libdb_do_transaction: connection closed during operation

 

Unfortunately I can't see the   sk164234 , could someone let me know how to remove the previous fingerprint for RSA connection to the server?

Thanks very much

 

0 Kudos
2 Solutions

Accepted Solutions
Vincent_Bacher
MVP Silver
MVP Silver
‎2025-12-02 07:56 AM
Jump to solution

delete ssh hba known-host <HOSTNAME> ?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

View solution in original post

George136905
Explorer
‎2025-12-02 02:50 PM
In response to the_rock
Jump to solution

Thanks very much,

Actually the command you mentioned didn't work:

delete ssh hba known-host x.x.x.x known-key-type ssh-rsa known-key-fingerprint 9VxwL/2fRsoso******************N5QTAV3MCc

It still prompted the same error. I believe it only remove the know host x.x.x.x (the same as "delete ssh hba known-host x.x.x.x"), there is still other place which stored the old fingerprint

 

below is my solution:

I just used the ssh-keygen -If key.pub to find out the old fingerprint, as I have already deleted from Gaia, I need to find out in our SSH server.

and then use the below command to modify it and it looks working

add ssh hba hostname 10.217.201.37 public-key access-mode online fingerprint pTLT*****mLYR9k7jU/S0

 

But I am not sure if  there is any impact?

 

View solution in original post

0 Kudos
6 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 07:52 AM
Jump to solution

Let me check it shortly and will update you.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2025-12-02 07:56 AM
Jump to solution

delete ssh hba known-host <HOSTNAME> ?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 07:58 AM
In response to Vincent_Bacher
Jump to solution

That looks right. This is more less the same

delete ssh hba known-host <HOSTNAME> [known-key-type <KEY_TYPE>] [known-key-fingerprint <SHA256_FINGERPRINT>]

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2025-12-02 09:04 AM
In response to the_rock
Jump to solution

Difference is that yours deletes one entry and mine all of a given remote host.

Or better said yours shows all possible options and mine just one to delete all of a remote host.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 09:08 AM
In response to Vincent_Bacher
Jump to solution

Correct. I just gave an example from the sk @George136905 referenced.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
George136905
Explorer
‎2025-12-02 02:50 PM
In response to the_rock
Jump to solution

Thanks very much,

Actually the command you mentioned didn't work:

delete ssh hba known-host x.x.x.x known-key-type ssh-rsa known-key-fingerprint 9VxwL/2fRsoso******************N5QTAV3MCc

It still prompted the same error. I believe it only remove the know host x.x.x.x (the same as "delete ssh hba known-host x.x.x.x"), there is still other place which stored the old fingerprint

 

below is my solution:

I just used the ssh-keygen -If key.pub to find out the old fingerprint, as I have already deleted from Gaia, I need to find out in our SSH server.

and then use the below command to modify it and it looks working

add ssh hba hostname 10.217.201.37 public-key access-mode online fingerprint pTLT*****mLYR9k7jU/S0

 

But I am not sure if  there is any impact?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events