Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
+1 vote
in Java FTP by (180 points)

I'm probably answering my own question, but when I add multiple SSH keys for a host, it seems like it is only taking the last one added.

I'm doing something like this:

SecureFileTransferClient ftp = createFTPClient();

SSHFTPValidator ftpValidator = ftp.getAdvancedSSHSettings().getSSHServerValidator();

for( InputStream keyInputStream : getKeyInputStreams() )


    ftpValidator.addKnownHost( "myHost", keyInputStream );


After the loop finishes, calling ftpValidator.getKnownHostKeys("myHost") always returns one key and it is the last key added. Each key being added is different.

I'm using version 4.7.0.



1 Answer

+1 vote
by (48.2k points)
selected by
Best answer
I just looked at the code and, yes, SSHFTPValidator will replace the key for the named host if one already exists.

I'm interested in the scenario you've got.  Why do you need multiple keys for one host?  Are there multiple sites listening on separate ports on that machine?
by (180 points)
The scenario is similar to importing a trusted keystore when setting up SSL Server Validation Certificates.  I have a designated trusted area to place my keys.  As long as the site i'm connecting to us is using a trusted key, i'm OK with connecting to that site.  I don't want to have to supply a specific alias to associate with a site.

We are using public keys with the notion of limited trust. It is possible that one of the public keys is used with another host, but it is likely it is a host we are familiar with since we manually manage the keys in the key store.
by (310 points)
I have just hit this same limitation. In our case we are hitting a load balancer SFTP endpoint that serves out multiple SFTP hosts (with the same username/password but different SSH keys on each one).

The only way I see around this is by either disabling host checking (not going to happen) or creating a custom validator that will validate against any SSHPublicKey loaded into the validator.

Right now we are pushing back against the owners of the server and getting them to add the same private/public key against each server, but I would love to know if this will be added as a feature in the API