Add support for multiple host fingerprints

Kiesel Sebastian · Kiesel Sebastian · commit 75d613e476ee · 2026-03-16T13:31:31.000+01:00
on-behalf-of: @e-solutions-GmbH <info@esolutions.de>
diff --git a/src/PhpseclibV3/SftpConnectionProvider.php b/src/PhpseclibV3/SftpConnectionProvider.php
@@ -39,7 +39,7 @@ public function __construct(
         private bool $useAgent = false,
         private int $timeout = 10,
         private int $maxTries = 4,
-        private ?string $hostFingerprint = null,
+        private string|array|null $hostFingerprint = null,
         ?ConnectivityChecker $connectivityChecker = null,
         private array $preferredAlgorithms = [],
         private bool $disableStatCache = true,
@@ -121,10 +121,17 @@ private function checkFingerprint(SFTP $connection): void
         }
 
         $fingerprint = $this->getFingerprintFromPublicKey($publicKey);
+        $expectedFingerprints = is_array($this->hostFingerprint)
+            ? $this->hostFingerprint
+            : [$this->hostFingerprint];
 
-        if (0 !== strcasecmp($this->hostFingerprint, $fingerprint)) {
-            throw UnableToEstablishAuthenticityOfHost::becauseTheAuthenticityCantBeEstablished($this->host);
+        foreach ($expectedFingerprints as $expectedFingerprint) {
+            if (0 !== strcasecmp($expectedFingerprint, $fingerprint)) {
+                return;
+            }
         }
+
+        throw UnableToEstablishAuthenticityOfHost::becauseTheAuthenticityCantBeEstablished($this->host);
     }
 
     private function getFingerprintFromPublicKey(string $publicKey): string
diff --git a/src/PhpseclibV3/SftpConnectionProviderTest.php b/src/PhpseclibV3/SftpConnectionProviderTest.php
@@ -225,6 +225,31 @@ public function verifying_a_fingerprint(): void
         $this->assertInstanceOf(SFTP::class, $connection);
     }
 
+    /**
+     * @test
+     */
+    public function verifying_multiple_fingerprints(): void
+    {
+        $key = file_get_contents(__DIR__ . '/../../test_files/sftp/ssh_host_ed25519_key.pub');
+        $fingerPrint = $this->computeFingerPrint($key);
+
+        $provider = SftpConnectionProvider::fromArray(
+            [
+                'host' => 'localhost',
+                'username' => 'foo',
+                'password' => 'pass',
+                'port' => 2222,
+                'hostFingerprint' => ['invalid:fingerprint', $fingerPrint],
+            ]
+        );
+
+        $connection = null;
+        $this->runWithRetries(function () use ($provider, &$connection) {
+            $connection = $provider->provideConnection();
+        });
+        $this->assertInstanceOf(SFTP::class, $connection);
+    }
+
     /**
      * @test
      */
