Thank you Martin.
It all make sense now.
It all make sense now.
- Rudixx
Post a reply
Topic review
- martin
The WinSCP
For your setup, the correct solution is to use semicolon-separated list of fingerprints of all your four servers in
https://winscp.net/eng/docs/library_sessionoptions#sshhostkeyfingerprint
SshHostKeyPolicy.GiveUpSecurityAndAcceptAny is an equivalent of OpenSSH StrictHostKeyChecking=no, both being equally insecure.
For your setup, the correct solution is to use semicolon-separated list of fingerprints of all your four servers in
Session.SshHostKeyFingerprint.
https://winscp.net/eng/docs/library_sessionoptions#sshhostkeyfingerprint
- Rudixx
I have a virtual hostname with 4 physical servers behind. All 4 servers have different server host keys.
I was advised to use
I was advised to use
-oUserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no but obviously those are not valid WinSCP parameters. So perhaps SshHostKeyPolicy.GiveUpSecurityAndAcceptAny. Is the last option to use unless you can advise something else?
- martin
The
What are you trying to achieve? Do your hosts keep changing keys? Do they have a legitimate reason to do that? It's wrong in general. If you need that and you are sure you know what you are doing, use
AcceptNew does what OpenSSH StrictHostKeyChecking=accept-new do. I.e. it accepts first host key of a new host. If the host later returns a different host key, WinSCP considers that a security threat and aborts.
What are you trying to achieve? Do your hosts keep changing keys? Do they have a legitimate reason to do that? It's wrong in general. If you need that and you are sure you know what you are doing, use
SshHostKeyPolicy.GiveUpSecurityAndAcceptAny.
- Rudixx
In addition to the above, would that mean that I need to clear the cache before every connection?
In my setup there are multiple servers, so I thought that
In my setup there are multiple servers, so I thought that
AcceptNew policy, will just cache them all.
- Rudixx
Originally it did not have any, so it added the hostkey from the first attempt to the registry.
I was under impression that
. 2022-01-12 14:18:20.243 Looking up host "..." for SSH connection
. 2022-01-12 14:18:20.258 Connecting to 100.100.100.100 port 22
< 2022-01-12 14:18:20.258 Script: Connecting to host...
. 2022-01-12 14:18:20.258 We claim version: SSH-2.0-WinSCP_release_5.19.5
. 2022-01-12 14:18:20.258 Remote version: SSH-2.0-OpenSSH_7.4
. 2022-01-12 14:18:20.258 Using SSH protocol version 2
. 2022-01-12 14:18:20.274 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2022-01-12 14:18:20.336 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2022-01-12 14:18:20.336 Host key fingerprint is:
. 2022-01-12 14:18:20.336 ssh-ed25519 255 1f:9c:8f:a9:a9:2e:81:8c:e0:6b:e9:bc:aa:c3:cb:80 amsdILszbrpSKxfTFGJVw+ljlHJpuFmyBT8iEqOdloc=
< 2022-01-12 14:18:20.336 Script: Authenticating...
. 2022-01-12 14:18:20.336 Warning: Stored new host key to HKCU\Software\Martin Prikryl\WinSCP 2\ - This should occur only on the first connection
I was under impression that
SshHostKeyPolicy = "AcceptNew" will accept any new hostkeys, is that not the case?
- martin
Re: [PowerShell] Accepting new host fingerprints does not work
The local account you use for the scheduled task have a different host key cached for your server already:
So it does not see the host as "new". You will have to clear the host key cache (after double checking that the new host key is legitimate).
. 2022-01-12 14:39:50.365 Host key does not match cached key
So it does not see the host as "new". You will have to clear the host key cache (after double checking that the new host key is legitimate).
- Rudixx
[PowerShell] Accepting new host fingerprints does not work
Hello
I have a scheduled task that runs the script as a system account, but the script fails due to authentication.
The script seems to work fine when I run it manually.
I have a scheduled task that runs the script as a system account, but the script fails due to authentication.
param (
#$KnownHostsFile = "$PSScriptRoot\KnownHosts.xml",
$logPath = "U:\x\Logs\$(Get-Date -format yyyy)\$(Get-Date -format MM)",
$logName = "WinSCP-SFTP_Upload_$(Get-Date -format yyyyMMdd).log",
$localPath = "U:\x\Downloaded_Files\",
$remotePath = "/build/",
$finalPath = "/work/",
$archivePath = "U:\x\Uploaded_Files\$(Get-Date -format yyyy)\$(Get-Date -format MM)",
$SMTPServer = "gateway.server.com",
$EmailFrom = "$env:computername@server.com",
$EmailTo = "user@server.com",
$EmailSubject = "Sync Files Transfer Failure",
$EmailAttachment = "$logPath\$logName",
$EmailBody = "Upload to SFTP failed.`r`nLog file attached."
)
# Upload
try
{
# Load WinSCP .NET assembly
Add-Type -Path "C:\Program Files (x86)\WinSCP\WinSCPnet.dll"
# Setup session options
$sessionOptions = New-Object WinSCP.SessionOptions -Property @{
Protocol = [WinSCP.Protocol]::Sftp
HostName = "server.com"
UserName = "username"
SshPrivateKeyPath = "$PSScriptRoot\key.ppk"
SshHostKeyPolicy = "AcceptNew"
}
$session = New-Object WinSCP.Session
try
{
# Log Session
If(!(test-path $logPath))
{
New-Item -ItemType Directory -Force -Path $logPath
}
$session.SessionLogPath = "$logPath\$logName"
# Connect
$session.Open($sessionOptions)
# Deliberately using an underscore instead of a dot,
# as the dot has specific meaning in operation mask
$suffix = "_filepart"
$transferOptions = New-Object WinSCP.TransferOptions
# Particularly with SFTP protocol, prevent additional .filepart suffix
# from being added to uploaded files larger than 100 KB
$transferOptions.ResumeSupport.State = [WinSCP.TransferResumeSupportState]::Off
# Upload all .pdf files with temporary "_filepart" suffix
$transferResult =
$session.PutFiles(($localPath + "*.pdf"), ($remotePath + "*.*" + $suffix),
$False, $transferOptions)
# Throw on any error
$transferResult.Check()
# Rename uploaded files
foreach ($transfer in $transferResult.Transfers)
{
# Remove suffix
$finalName =
$transfer.Destination.SubString(
0, $transfer.Destination.Length - $suffix.Length)
# Replace path
$finalName = $finalName.Replace($remotePath, $finalPath)
Write-Output "Renaming uploaded file $($transfer.Destination) to $finalName"
# Rename uploaded file to its final name
$session.MoveFile($transfer.Destination, $finalName)
# Success or error?
if ($transfer.Error -eq $Null)
{
Write-Output "Upload of $($transfer.FileName) succeeded, moving to archive"
# Upload succeeded, move source file to archive
If(!(test-path $archivePath))
{
New-Item -ItemType Directory -Force -Path $archivePath
}
Move-Item $transfer.FileName $archivePath
}
else
{
Write-Output "Upload of $($transfer.FileName) failed: $($transfer.Error.Message)"
}
}
}
finally
{
# Disconnect, clean up
$session.Dispose()
}
exit 0
}
catch
{
Write-Output "Error: $($_.Exception.Message)"
Send-MailMessage -To $EmailTo -From $EmailFrom -Subject $EmailSubject -SmtpServer $SMTPServer -Body $EmailBody -Attachments $EmailAttachment
exit 1
}
. 2022-01-12 14:39:50.256 --------------------------------------------------------------------------
. 2022-01-12 14:39:50.256 WinSCP Version 5.19.5 (Build 11933 2021-11-25) (OS 10.0.14393 - Windows Server 2016 Standard)
. 2022-01-12 14:39:50.256 Configuration: nul
. 2022-01-12 14:39:50.256 Log level: Normal
. 2022-01-12 14:39:50.256 Local account: domain\hostname$
. 2022-01-12 14:39:50.256 Working directory: C:\Program Files (x86)\WinSCP
. 2022-01-12 14:39:50.256 Process ID: 2616
. 2022-01-12 14:39:50.271 Ancestor processes: powershell, cmd, svchost, ...
. 2022-01-12 14:39:50.271 Command-line: "C:\Program Files (x86)\WinSCP\winscp.exe" /xmllog="C:\windows\TEMP\wscp2310.01324713.tmp" /xmlgroups /xmllogrequired /nointeractiveinput /stdout /stdin /dotnet=5.19.5 /ini=nul /log="U:\x\Logs\2022\01\WinSCP-SFTP_Upload_20220112.log" /console /consoleinstance=_8976_30834295_644
. 2022-01-12 14:39:50.271 Time zone: Current: GMT+1, Standard: GMT+1 (Central Europe Standard Time), DST: GMT+2 (Central Europe Daylight Time), DST Start: 3/27/2022, DST End: 10/30/2022
. 2022-01-12 14:39:50.271 Login time: Wednesday, January 12, 2022 2:39:50 PM
. 2022-01-12 14:39:50.271 --------------------------------------------------------------------------
. 2022-01-12 14:39:50.271 Script: Retrospectively logging previous script records:
> 2022-01-12 14:39:50.271 Script: option batch on
< 2022-01-12 14:39:50.271 Script: batch on
< 2022-01-12 14:39:50.271 Script: reconnecttime 120
> 2022-01-12 14:39:50.271 Script: option confirm off
< 2022-01-12 14:39:50.271 Script: confirm off
> 2022-01-12 14:39:50.271 Script: option reconnecttime 120
< 2022-01-12 14:39:50.271 Script: reconnecttime 120
> 2022-01-12 14:39:50.271 Script: open "sftp://username@server.com" -hostkey="acceptnew" -privatekey="U:\x\key.ppk" -timeout=15
. 2022-01-12 14:39:50.271 --------------------------------------------------------------------------
. 2022-01-12 14:39:50.271 Session name: username@server.com (Ad-Hoc site)
. 2022-01-12 14:39:50.271 Host name: server.com (Port: 22)
. 2022-01-12 14:39:50.271 User name: username (Password: No, Key file: Yes, Passphrase: No)
. 2022-01-12 14:39:50.271 Tunnel: No
. 2022-01-12 14:39:50.271 Transfer Protocol: SFTP
. 2022-01-12 14:39:50.271 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2022-01-12 14:39:50.271 Disable Nagle: No
. 2022-01-12 14:39:50.271 Proxy: None
. 2022-01-12 14:39:50.271 Send buffer: 262144
. 2022-01-12 14:39:50.271 SSH protocol version: 2; Compression: No
. 2022-01-12 14:39:50.271 Bypass authentication: No
. 2022-01-12 14:39:50.271 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2022-01-12 14:39:50.271 GSSAPI: KEX: No; Forwarding: No; Libs: gssapi32,sspi,custom; Custom:
. 2022-01-12 14:39:50.271 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2022-01-12 14:39:50.271 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2022-01-12 14:39:50.271 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2022-01-12 14:39:50.271 Simple channel: Yes
. 2022-01-12 14:39:50.271 Return code variable: Autodetect; Lookup user groups: Auto
. 2022-01-12 14:39:50.271 Shell: default
. 2022-01-12 14:39:50.271 EOL: LF, UTF: Auto
. 2022-01-12 14:39:50.271 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2022-01-12 14:39:50.271 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No; Exit code 1 is error: No
. 2022-01-12 14:39:50.271 SFTP Bugs: Auto,Auto
. 2022-01-12 14:39:50.271 SFTP Server: default
. 2022-01-12 14:39:50.271 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2022-01-12 14:39:50.271 Cache directory changes: Yes, Permanent: Yes
. 2022-01-12 14:39:50.271 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2022-01-12 14:39:50.271 DST mode: Unix
. 2022-01-12 14:39:50.271 --------------------------------------------------------------------------
< 2022-01-12 14:39:50.271 Script: Searching for host...
. 2022-01-12 14:39:50.271 Looking up host "server.com" for SSH connection
. 2022-01-12 14:39:50.287 Connecting to 100.00.000.000 port 22
< 2022-01-12 14:39:50.287 Script: Connecting to host...
. 2022-01-12 14:39:50.287 We claim version: SSH-2.0-WinSCP_release_5.19.5
. 2022-01-12 14:39:50.303 Remote version: SSH-2.0-OpenSSH_7.4
. 2022-01-12 14:39:50.303 Using SSH protocol version 2
. 2022-01-12 14:39:50.303 Have a known host key of type ssh-ed25519
. 2022-01-12 14:39:50.303 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2022-01-12 14:39:50.365 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2022-01-12 14:39:50.365 Host key fingerprint is:
. 2022-01-12 14:39:50.365 ssh-ed25519 255 44:bd:d2:13:a0:50:bf:6a:de:a6:62:eb:fa:fd:d4:ad GrGgvYyFwxkNxxHzq/nmUGdNmC1E0qA5wyNWJ0vfP6U=
< 2022-01-12 14:39:50.365 Script: Authenticating...
. 2022-01-12 14:39:50.365 Host key does not match cached key
. 2022-01-12 14:39:50.365 Attempt to close connection due to fatal exception:
* 2022-01-12 14:39:50.365 Host key fingerprint is ssh-ed25519 255 GrGgvYyFwxkNyyHzq/nmUGdNmC1E0qA5wyNWJ0vfP6U=.
* 2022-01-12 14:39:50.365 (Exception) **Expected host key was not configured, use -hostkey switch.**
. 2022-01-12 14:39:50.365 Closing connection.
< 2022-01-12 14:39:50.365 Script: Expected host key was not configured, use -hostkey switch.
< 2022-01-12 14:39:50.365 Host key fingerprint is ssh-ed25519 255 GrGgvYyFwxkNyyHzq/nmUGdNmC1E0qA5wyNWJ0vfP6U=.< 2022-01-12 14:39:50.365 Authentication failed.
The script seems to work fine when I run it manually.