SSH Host Key mismatch

i have this specific use case: 

two sps connection policy, one for access from SPP and one for access from Remote Access and these two connection policies have two different keys (under SSH Control --> Client side host key settings (ECDSA key). In the known_hosts of the windows server where i am starting the sessions there are both keys of the two connection policies and in the SSH Control --> Server Host Keys i have two keys about that linux server.

from SRA i can access to the linux server and from SPP not.

i get the classic error about MAN IN THE MIDDLE because it is not recognized the relative key, there is a mismatch about SSH Host Key between linux server and safeguard.

The black window that appear basically shows this message:




Someone could be eavesdropping on you right now (man in the middle attack)

It is also possible that a host key has just been changed

The fingerprint for the ECDSA key sent by the remote host is

SHA256: 82h4c2nh4hqc4h3'q4hm37897h1'349 (for example)

Add correct host key in C:\\Users\\adm-abcdefg/.ssh/known_hosts to get rid of this message

Offending ECDSA key in C:\\Users\\adm-abcdefg/.ssh/known_hosts:2

ECDSA host key for has changed and you have requested strict checking

Host key verification failed


how can i resolve this issue?

which is the best and the right configuration about this?

It seems that if I launch the connection from SPP I go through the connection policy of the SRA which has its own precise key and in the black window which appears I see that the host only ever sends me the same key which is the one I see in the connection policy of the SRA but I am accessing from SPP so I should go through the connection policy safeguard_default. What's going on? Can anyone help me clarify the problem?

i am going crazy

thank you very much

  • Hi Dario,

    Are you using the same SSH port for both SPS connection policies?

    If so, you can separate the conflict by using different ports on each connection policy, for example

    SSH connection policy for safeguard_default with port 22

    SSH connection policy for SRA with port 2222

    SPP > Launch Client SSH connection > SPS (safeguard_default:22) > target server:22

    SRA > SSH connection > SPS (SRA:2222) > target server:22