winscp.com option "--hostkey" Ignored?

Advertisement

jpantera
Joined:
Posts:
23
Location:
Los Angeles, CA

winscp.com option "--hostkey" Ignored?

Hello, I have a question on the use of WinSCP through the winscp.exe command-line / winscp.com method (if anyone has run into / looked into this).

I have created scripts that wrap this type of command (not yet jumping into the .Net Assembly method, although have looked at it, my background perl / C) with the option, open, ftp put / get, other items into a dynamically built Winscp.com script file (which works well).

One of the options we use with this method, is to obtain the SSH connection public key fingerprint ahead of time (my long-term background also includes Linux / Unix and scripting ssh directly), and feed this to WinSCP.com on a Windows platform into the "-hostkey" command parameter.

Recently I had reason to work with a platform sftp server that was load-balanced, and was getting various results for the fingerprint value of SSH, based on the server I was connecting. Looked into possibly coding some logic with "open" to look at various keys (does winscp.com / winscp.exe have a rc?), but found that if I removed the -hostkey , or even more blatantly replaced it's string with "THISISWRONG"..., it still connects, with no warning, even if I turn option "echo on". Version of Winscp

I see the .Net assembly method seems to have an option to enforce the -hostkey --
SessionOptions.SshHostKeyFingerprint
Does winscp.com / winscp.exe default to this? GiveUpSecurityAndAcceptAnySshHostKey

https://winscp.net/eng/docs/library_sessionoptions#giveupsecurityandacceptanysshhostkey

Can it be set to enforce at least looking / reporting on different hostkey value it finds (if not the same as what's in -hostkey?)

Reply with quote

Advertisement

jpantera
Joined:
Posts:
23
Location:
Los Angeles, CA

Re: winscp.com option "--hostkey" Ignored?

martin wrote:

If WinSCP connects, it must have the actual hostkey cached in its registry.
If you do not want to use the cache, use /ini=nul command-line switch:
See https://winscp.net/eng/docs/scripting#configuration

Thanks, Martin

Your response helped with my question on other topic with the /log (seeing to feed it to the winscp.com, like with /ini).

So if the key is in the ini, it will use that (even if I were to use some bogus value). Acknowledged.

My reason for asking this question, is that the server connecting to has a backup server, etc... , that I'm not sure I have all the potential SSH handshake keys for all of them (cached or not). If winscp.com /console /script runs into a server it's connecting to, with all of the correct permissions, but not the key trusted, will it fail, give an error / warning, or ?

Thanks,
Joe P.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,469
Location:
Prague, Czechia

Re: winscp.com option "--hostkey" Ignored?

jpantera wrote:

My reason for asking this question, is that the server connecting to has a backup server, etc... , that I'm not sure I have all the potential SSH handshake keys for all of them (cached or not). If winscp.com /console /script runs into a server it's connecting to, with all of the correct permissions, but not the key trusted, will it fail, give an error / warning, or ?
It will fail.

Reply with quote

jpantera
Joined:
Posts:
23
Location:
Los Angeles, CA

Re: winscp.com option "--hostkey" Ignored?

martin wrote:

jpantera wrote:

My reason for asking this question, is that the server connecting to has a backup server, etc... , that I'm not sure I have all the potential SSH handshake keys for all of them (cached or not). If winscp.com /console /script runs into a server it's connecting to, with all of the correct permissions, but not the key trusted, will it fail, give an error / warning, or ?
It will fail.

Thanks / acknowledged.

Reply with quote

Advertisement

You can post new topics in this forum