Backup Error "Host key has changed"

November 6, 2025

Product Version

AhsayCBS / AhsayACB / AhsayOBM: 10.1.4.0

Operating System

All Platforms

Symptom

When performing a Run-on-Client (AhsayACB/AhsayOBM) or Run-on-Server (AhsayCBS) backup to an SFTP destination, the following error is logged in the backup log/report:

[erro] afc.cloud.E: [CloudException.HostKeyChangedExpt] Host key has changed from "..." to "..."

Cause

This error is triggered by a security enhancement in v10.1.4.0:

  • Digital Fingerprints: An SFTP server uses a "host key" to prove its identity, similar to a digital fingerprints. Server can have multiple fingerprints (keys) of different types.
  • Support for Modern Keys: The recent update added support for new, strong, and more secure key types (e.g., ecdsa-sha-nistp256, rsa-sha2-256).
  • Change in Preference: After the update, Ahsay software began prioritizing these new, more secure keys when connecting.

If your SFTP server supports both an old key (e.g., ssh-rsa) and a new key (e.g., ecdsa-sha-nistp256), the updated Ahsay Software now "sees" the new, more secure key first. This difference in the key being presented triggers the "Host Key changed" warning, even though the server itself has not changed.

Resolution

Ahsay released Hotfix v10.1.4.3 to resolve this situation.

This hotfix adjusts the connection process to prevent these false warnings. It restores the previous connection behaviour, allowing the client to use the same host key type (e.g., ssh-rsa) that it recognized before the update.

Download the hotfix:

Windows - https://download.ahsay.com/support/FileDelivery/hot-fixes/101/10143/cbs-win-hotfix-aua-v10.1.4.3.zip

*nix - https://download.ahsay.com/support/FileDelivery/hot-fixes/101/10143/cbs-nix-hotfix-aua-v10.1.4.3.zip

AhsayCBS Hotfix Installation Guide: https://www.ahsay.com/en/support/help-centre/how-to/cbs/gen/cbs-hotfix-installation-guide

  1. All hotfix packages are cumulative, the latest one will include all the fixes in the previous ones.
  2. Conduct basic testing before rolling out hotfixes to production systems.
  3. Deploy hotfixes to only the affected production systems. (For AhsayCBS Hotfix with Client Auto-Update (AUA) binaries, disabling AUA for each user before updating would be a good practice.)

After applying this hotfix to AhsayCBS server, and enable Auto-update for Backup Users (For Run-on-Client backup), the system will:

  • Avoid unnecessary "Host key changed" warnings for existing server connections.
  • Continue to support the new, modern key types for future compatibility
Troubleshooting