This message is always displayed on first connection. Something like this
$ ssh user@hostname
The authenticity of host 'hostname (v.x.y.z)' can't be established.
ED25519 key fingerprint is SHA256:P4QBIqLt6g6JU5P3po0WRLF+mr0ypYhhG3iGgCprM20.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:15: v.x.y.z
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The reason is the fingerprint of the remote system not being in ~/.ssh/known_hosts.
You will need to add the fingerprint to the known_hosts file. You are usually prompted on first connection which is why a scripted first connection never works.
You can however bypass this check by adding the following option to your connection command
-o "StrictHostKeyChecking=no"
Or modify your ~/.ssh/config to include (the default is ask as documented in /etc/ssh/ssh_config).
Host *
StrictHostKeyChecking no
Using scp with a keyfile works as expected assuming the publc part has been transferred to the host beforehand.
When you create a keyfile - you will be prompted for password to unlock the private part of the keyfile and this password must be used on all connections to unlock the private key.
If you do not want to depend on the unlocking the private key - you can omit the password when creating the keyfile.
Doing so will lower the security on your keypair - so you must guard the private key well.
When you generate a keypari with ssh-keygen - you are prompted for a filename.
If you use a filename of name.ppk then putty will accept this key as well as Filezilla’ sftp function.
The .pub part is transferred to the remote host - the private key is used to verify the public key previously transferred to the host
e.g.
ssh-keygen -t ed25519 -f ~/.ssh/my-service-ed25549.ppk
will generate
$ ls ~/.ssh/my-service*
.ssh/my-servivce.ppk .ssh/my-service.ppk.pub