Why does this SSH host key fingerprint not match the pattern when using WinSCP .NET assembly

Question

I am trying to connect to an SFTP server using WinSCP and PowerShell and have hit the following snag

Error: SSH host key fingerprint "ssh-rsa 2048 ABCDE+I9v1+pLxkhZkod6yAbEh0o7a8wlSsI+ABCDEF" does not match pattern /((ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-nistp(256|384|521))( |-))?(\d+ )?(([0-9a-f]{2}(:|-)){15}[0-9a-f]{2}|[0-9a-zA-Z+/]{43}=)(;((ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-nistp(256|384|521))( |-))?(\d+ )?(([0-9a-f]{2}(:|-)){15}[0-a-f]{2}|[0-9a-zA-Z+/]{43}=))*/

The ABCDE and ABCDEF in the quoted string are just me obscuring the fingerprint.

I've checked the existing SO responses ( SSH host key fingerprint ... does not match pattern ... when using WinSCP .NET assembly in C# to download files, SSH host key fingerprint does not match pattern C# WinSCP) but they don't apply.

I have a vague knowledge of regular expressions, and it looks like it should match to me, so I hope I am missing something simple. I have the 'ssh-rsa', then a space ( |-), then a number of digits followed by space (\d+ ), then 43 characters that match [0-9a-zA-Z+/]{43} (it's the fact that I have a 43-character string that makes me thing I have a correct fingerprint and am just missing some syntactic trivia). The whole of the second half of the pattern is just a repeat of the first, and I'm assuming an optional one, so I don't know what's not being accepted?

Answer 1

The Base-64 encoded SHA-256 fingerprint should be padded with =:

ssh-rsa 2048 ABCDE+I9v1+pLxkhZkod6yAbEh0o7a8wlSsI+ABCDEF=

---

Though note that since WinSCP 5.17, the padding is not required.

---

Also as mentioned in answers to both question you have referred to, WinSCP can generate a code template including the correct fingerprint for you.