Skip to content

Fingerprints not saved when using custom ports and proxy hosts (Windows 11, 9.3.1) #17760

New issue
New issue
Open
Open
Fingerprints not saved when using custom ports and proxy hosts (Windows 11, 9.3.1)#17760
@rikrdo89

Description

@rikrdo89
rikrdo89
opened on Dec 12, 2025

Environment:

OS: Windows 11
Cyberduck: 9.3.1
Protocol: SFTP
Auth: SSH key

Setup:

Connect to a target SFTP server via a jump/proxy host (OpenSSH ProxyJump), and both the proxy and the target use non-standard SSH ports.

When connecting via SFTP using a proxy host on a custom port and a target on another custom port, Cyberduck repeatedly prompts to accept/verify the SSH host key fingerprint (ED25519). The prompts occur even after accepting the fingerprint (“Allow”), and can recur multiple times during the same transfer session. Connections using ssh and sftp from local console (outside cyberduck) to target host work well.

Expected behavior

Cyberduck should prompt to trust each host key (proxy + target) once (or once per key type), then persist those keys so subsequent connections do not re-prompt unless the host key truly changes.

Actual behavior

Cyberduck prompts repeatedly to verify the fingerprint for the proxy host and/or the target host.
Fingerprints can alternate between proxy and target prompts depending on which connection is being opened.

Restarting Cyberduck does not eliminate the prompt.
Transfers may be interrupted by repeated fingerprint prompts.

Steps to reproduce

On Windows 11, install Cyberduck 9.3.1.
Configure OpenSSH ~/.ssh/config with a proxy host and a target host that uses the proxy, both on non-standard ports. Example:

Host server-jump
  HostName <PROXY_IP>
  User <USER>
  Port <PROXY_PORT>
  IdentityFile <PATH_TO_KEY>

Host server-target
  HostName localhost
  User <USER>
  Port <TARGET_PORT>
  ProxyJump server-jump
  IdentityFile <PATH_TO_KEY>

In Cyberduck, create an SFTP connection to server-target (host alias from SSH config) and connect.
Accept the fingerprint prompt.
Start a file transfer (or reconnect multiple times).
Observe repeated fingerprint prompts ( “Changed fingerprint” warnings).

Diagnostics / notes
I verified the displayed fingerprints against the servers’ host keys:
On proxy host: ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub matches the proxy fingerprint.
On target host: same command matches the target fingerprint.
The behavior looks like Cyberduck is not persisting the trusted host keys reliably when:

  • the connection uses a proxy/jump host, and/or
  • the SSH ports are non-standard.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions