you should ALWAYS check the fingerprint of the host before logging in via ssh, you never know if there is currently a MITM attack going on. after the first login, your ssh-client can do the fingerprint check automatically and warn you if it ever changes (if it changes, somethig suspicious is going on).
i don't know about the security mechanisms in Winbox itself. probably it's best if you connect only your Winbox-Machine and your Router, disconnect all other network interfaces
So this is how i did it
use key-file-prefix: test
/ip ssh set strong-crypto=yes
/ip ssh export-host-key
download the test_rsa.pub to your Desktop (like C:\Users\test-user\Desktop)
then delete the test_* files (test_dsa, test_dsa.pub, test_rsa, test_rsa.pub)
Debian on Windows
first ssh-keygen command converts the test_rsa.pub to PKCS8-Format which we pipe to ssh-keygen to show us the fingerprint.
apt-get install openssh-client
ssh-keygen -f /mnt/c/Users/test-user/Desktop/test_rsa.pub -i -m PKCS8 | ssh-keygen -l -f - -E md5
i used Debian on Windows (https://wiki.debian.org/InstallingDebia ... emForLinux) you could also copy the file to a real debian or another linux (probably there is also some ssh-keygen version for windows available - however, i use debian on windows).
then you'll get the MD5 style fingerprint which you use to verify that your putty really connects to the wanted ssh host.