sftp issue

pgte3 · 11-24-2010, 07:49 AM

Trying to sftp (get) a file, and am getting the following message:

spawn sftp -oPort=10022 jn000JN@sftp.section111.cms.hhs.gov
Connecting to sftp.section111.cms.hhs.gov...
The authenticity of host 'sftp.section111.cms.hhs.gov (204.76.173.42)' can't be established.
DSA key fingerprint is 66:64:07:cc:39:89:56:2b:3b:4c:fd:cc:3d:2a:7a:9c.
Are you sure you want to continue connecting (yes/no)?

Is this an issue with keys? Where are the keys on a sftp client stored? I am running this sftp script from a different directoy than normal if that matters.

colucix · 11-24-2010, 08:08 AM

This means that your local machine doesn't know about the fingerprint (DSA key) of the remote server. The ssh daemon asks if you trust the remote server and eventually import (add) the DSA key into the file $HOME/.ssh/known_hosts. This happens only the first time you try to connect to an unknown server, then you will never be prompted again unless:

you remove the key from the known_hosts file
the fingerprint of the remote server changes for some reason.

jschiwal · 11-24-2010, 08:11 AM

My guess is that PKI authentication isn't used, and the keys have been replaced on the server. The fingerprint from the server, doesn't match the information in your .ssh/known_hosts file. It could also be a man-in-the-middle attack. If the former is true, you could delete the line for this server in ~/.ssh/known_hosts. If the latter, it isn't save to proceed.

pgte3 · 11-24-2010, 09:07 AM

Thanks for the response colucix. Once I replied "yes" to the message, an entry was made $HOME/.ssh/known_hosts file. A sftp after that I was not prompted again. A change in the key on the server side at this point would probably cause a prompt message again I assume.