How to accept and cache a host key manually in PuTTY

Accepting the correct SSH host key in PuTTY prevents silent server impersonation and reduces the risk of credential theft during man-in-the-middle attacks. A cached host key also eliminates repeat trust prompts, making unexpected server identity changes obvious during later connections.

An SSH server proves its identity with a host key during the initial handshake, and PuTTY validates that identity by comparing the presented key against a locally cached copy. When no cached key exists, PuTTY displays a fingerprint in a PuTTY Security Alert dialog, and the accept option stores the key for the current Windows user under 

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

.

Host key caching is only trustworthy when the fingerprint is verified out-of-band (administrator-provided fingerprint, console access, provisioning notes), not from the same network path being protected. Rebuilt systems, key rotation, load balancers, or connecting by a different hostname can legitimately change the presented key and trigger warnings, but the same warnings can also indicate active interception, so treat mismatches as security incidents until proven otherwise.

Related: How to verify SSH host key fingerprints before connecting
Related: How to resolve the "Remote Host Identification Has Changed" SSH warning

Steps to accept and cache a host key manually in PuTTY:

  1. Launch PuTTY.
  2. Enter the server Host Name (or IP address) in the Session category.

    Host key caching is tied to the exact host string plus port, so server, server.example.com, and 192.0.2.10 cache separately.

  3. Confirm the Port value for the connection.
  4. Click Open to start the SSH connection.
  5. Verify the host key fingerprint shown in the PuTTY Security Alert dialog against a trusted fingerprint for the server.

    Match the fingerprint for the same key type shown in the dialog (ED25519, ECDSA, or RSA), not a different algorithm.

    Cancel the connection when the fingerprint cannot be verified or does not match the trusted value.

  6. Select the Accept or Yes option to save the host key to the cache when the fingerprint matches.

    Accepting an unverified host key can permanently trust the wrong server and expose passwords, sessions, or forwarded traffic.

  7. Confirm the session proceeds to the server login prompt or shell.
  8. Close the active PuTTY terminal window.
  9. Start a new connection to the same hostname and port.
  10. Confirm the connection starts without an unknown host key prompt.
  11. Stop when a WARNING - POSSIBLE SECURITY BREACH! dialog reports a host key mismatch for the server.

    Host key mismatch warnings can indicate server rebuilds or key rotation, but can also indicate an active man-in-the-middle attack; avoid updating cached keys without independent verification.

    Related: How to update or delete PuTTY host key fingerprints on Windows