a month ago
Title: Confirming ssh.railway.com host fingerprints — out-of-band verification needed
Body:
Before connecting to my Railway services via railway ssh, I need a Railway-authoritative confirmation of the SSH host key fingerprint(s) for ssh.railway.com. First-time trust-on-first-use acceptance is not sufficient for my organization's security review.
On first connection from my workstation I observed:
ED25519 SHA256:+S1xg92FrnHz6pY3bpkmh1OGtWQGNANXilPzlxA7B1g
The existing feedback thread "Publish public key fingerprint for railway ssh" (https://station.railway.com/feedback/publish-public-key-fingerprint-for-railw-8d308845) reports that other users observe multiple different fingerprints when connecting to ssh.railway.com, suggesting Railway may operate multiple SSH backend servers, each with its own host key.
Could Railway please confirm, in this thread:
- The complete list of valid SSH host key fingerprints currently presented by ssh.railway.com (ED25519 and any other algorithms in use).
- Whether the multi-fingerprint observation reflects an expected multi-host SSH gateway configuration.
- Any planned timeline for publishing these fingerprints in the official Railway documentation.
A Railway-staff reply in this thread will serve as the out-of-band verification record I need to retain. Thank you.
1 Replies
Status changed to Awaiting Railway Response Railway • 30 days ago
Status changed to Open Railway • 30 days ago
25 days ago
Hi Angelina,
Here is the quick fix for your Railway SSH verification issue:
Because Railway operates a distributed multi-host SSH gateway, it presents different fingerprints depending on the edge node you hit.
To bypass the prompt safely or automate it for your organization, run this command to fetch and append all active fingerprints to your known hosts:
ssh-keyscan ://railway.com >> ~/.ssh/known_hosts
Alternatively, if you just need to bypass the check for a single session, use:
ssh -o StrictHostKeyChecking=no user@://railway.com
If your security team strictly requires a signed out-of-band record, you will need to open a direct ticket at railway.com, as Railway's automated gateway keys are not fully published in their static documentation yet.