Handling SSH key on first connect.

I was wondering if anyone on here could give me some advice on how to handle the first time connect from your app to server using an SSH connection. I’m using plink (of course on Windows) and the user is presented with a yes or no prompt if the key isn’t already stored in the system registry. How should you handle this first time connect, so that the user doesn’t have to give any input and the key is stored in the registry for subsequent connections? Any advice? Thanks!

Maybe there is a way to do that, but it sounds like a security problem if it is possible. I would suggest considering some kind of documentation or dialog that explains the process so the user is expecting it. Also, they will be aware of what that means so in the future if they are alerted again without expecting it, they will know to be properly suspicious rather than simply accepting the key.

Thanks! Sorry I should have noted the app is a system service there can be no user interaction.

I’m not totally familiar with windows scripting especially from system service apps, but have you tried scripting a dummy connection during install that pipes a “Y” to the plink command so that the key is stored at install and in place when the service starts?

Basically the installer would connect once just for the purpose of accepting the key.

google echo plink store host key automatically

The right way to do this is to add the server’s public key to the computer that you’re connecting from in the known_hosts file. Here’s an example of doing it on Mac/Linux:


putty/plink store known_hosts in the registry:


That way you’re sure that the user isn’t being redirected to another server or the connection has been spoofed.

Thanks Greg! I will read over this information!

I copied all the key information from the registry and I was going to add it manually to the registry of the computer that installed my app if the key wasn’t present on app open. I’m not sure if that would work though long term, does the key fingerprint of the ssh server change from time to time? I bet it does that might cause an issue for me using this solution.

The ssh key will not change unless you explicitly do it on the server. If it did, it would defeat the purpose and you’d never be able to tell if you were connecting to the same computer.

Thanks so much for all the help!

Greg, is there a way to add the ssh key passphrase to to the plink connection string?

PASSPHRASE replaced with the correct command like in the connection string below?

plink -ssh -v -L 7777: -i E:\\plink\\key.ppk PASSPHRASE? user@mydomain.com -P 22


I’m not aware of any, but I haven’t used plink in a very long time.