Differences
This shows you the differences between the selected revisions of the page.
| messages 2023-07-26 | messages 2024-10-13 (current) | ||
| Line 6: | Line 6: | ||
| ===== [[host_key]] Continue connecting to an unknown server and add its host key to a cache? ===== | ===== [[host_key]] Continue connecting to an unknown server and add its host key to a cache? ===== | ||
| - | This error message occurs when WinSCP connects to a new [[SSH]] server. Every server identifies itself by means of a host key; once WinSCP knows the host key for a server, it will be able to detect if a malicious attacker redirects your connection to another machine. | + | This message appears when WinSCP connects to a new [[SSH]] server. Every server identifies itself by means of a host key; once WinSCP knows the host key for a server, it will be able to detect if a malicious attacker redirects your connection to another machine. |
| - | &screenshotpict(message_host_key) | + | &screenshotpict(unknown_hostkey) |
| If you see this message, it means that WinSCP has not seen this host key before, and has no way of knowing whether it is correct or not. You should attempt to verify the host key by other means, such as asking the machine's administrator. ((&puttydoccite)) | If you see this message, it means that WinSCP has not seen this host key before, and has no way of knowing whether it is correct or not. You should attempt to verify the host key by other means, such as asking the machine's administrator. ((&puttydoccite)) | ||
| - | Both SHA-256 and MD5 fingerprints of the host key are shown. As both fingerprints are for the same key, it is enough to check only one of them. Checking %%SHA-256%% fingerprint is safer though. | + | If the [[faq_hostkey|host key fingerprint is correct]], press //Accept// (//Yes// in the older versions). &recent The host key will be stored to cache and you will not be prompted the next time. If you are unsure, want to defer a host key verification until later, but still need to connect now (taking a risk), select //Connect Once// in the down-menu of the //Accept// button (//No// button in the older versions). &recent The host key will not be cached and you will be prompted again the next time. If the fingerprint is not correct or if you do not know the correct fingerprint, press //Cancel// to abort connection. |
| - | If the [[faq_hostkey|host key fingerprint is correct]], press //Yes//. The host key will be stored to cache and you will not be prompted the next time. If you are unsure, want to defer a host key verification until later, but still need to connect now (taking a risk), press //No//. The host key will not be cached and you will be prompted again the next time. If the fingerprint is not correct or if you do not know the correct fingerprint, press //Cancel// to abort connection. | + | If you have the correct host key (or its fingerprint) in a digital form, instead of checking the fingerprint manually, you can select //Paste Key// in drop-down menu of //Accept// (//Yes//) &recent button to have WinSCP compare the fingerprint for you, against a fingerprint or a full key stored in the clipboard. The clipboard can contain an %%SHA-256%% or %%MD5%% fingerprint or a full key in ''.pub'' format. |
| - | + | ||
| - | If you have the correct host key (or its fingerprint) in a digital form, instead of checking the fingerprint manually, you can use //Paste Key// button (in drop-down menu of //Yes// button) to have WinSCP compare the fingerprint for you, against a fingerprint or a full key stored in the clipboard. ·The clipboard can contain an %%SHA-256%% or %%MD5%% fingerprint or a full key in ''.pub'' format. | + | |
| - | + | ||
| - | Use //Copy key fingerprints to clipboard// link to copy the fingerprints to clipboard. | + | |
| + | Use //Copy key fingerprints to clipboard// link to copy key fingerprints to clipboard (both in %%SHA-256%% format seen on the message and additionally in %%MD5%% format). | ||
| Read more about [[ssh_verifying_the_host_key|verifying host keys]]. | Read more about [[ssh_verifying_the_host_key|verifying host keys]]. | ||
| Line 26: | Line 23: | ||
| ===== [[security_breach]] Warning -- Potential security breach! ===== | ===== [[security_breach]] Warning -- Potential security breach! ===== | ||
| - | This message, followed by "The server's host key does not match the one WinSCP has in cache", means that WinSCP has connected to the SSH server before, knows what its host key should be, but has found a different one.· | + | This message, followed by //"The server's host key does not match the one WinSCP has in cache"//, means that WinSCP has connected to the SSH server before, knows what its host key should be, but has found a different one. |
| - | This may mean that a malicious attacker has replaced your server with a different one, or has redirected your network connection to their own machine. On the other hand, it may simply mean that the administrator of your server has accidentally changed the key while upgrading the SSH software; this shouldn't happen but it is unfortunately possible. Another legitimate reason for the host key change is that the address, you are connecting to, load balances to a set of SSH servers. If that's the case, use //Add// button to build a list of known host keys, instead of using //Update//. | + | You might also get the message, when you have configured WinSCP to trust a certification authority for signing host keys but the actual host key is signed by a different authority. For this scenario follow [[#certified|further below]]. |
| + | |||
| + | ==== Plain Host key ==== | ||
| + | |||
| + | The message may mean that a malicious attacker has replaced your server with a different one, or has redirected your network connection to their own machine. On the other hand, it may simply mean that the administrator of your server has accidentally changed the key while upgrading the SSH software; this shouldn't happen but it is unfortunately possible. Another legitimate reason for the host key change is that the address, you are connecting to, load balances to a set of SSH servers. If that's the case, select //Add// to build a list of known host keys, instead of using //Update//. | ||
| You should contact your server's administrator and see whether they expect the host key to have changed. If so, verify the new host key in the same way as you would if it was new. ((&puttydoccite)) | You should contact your server's administrator and see whether they expect the host key to have changed. If so, verify the new host key in the same way as you would if it was new. ((&puttydoccite)) | ||
| Read more about [[ssh_verifying_the_host_key|verifying host keys]]. | Read more about [[ssh_verifying_the_host_key|verifying host keys]]. | ||
| + | |||
| + | ==== [[certified]] Certified Host key ==== | ||
| + | |||
| + | If you've configured WinSCP to trust at least one [[ui_pref_security#authorities|certification authority for signing host keys]], then it will ask the SSH server to send it any available certified host keys. If the server sends back a certified key signed by a different certification authority, WinSCP will present this variant of the host key prompt. | ||
| + | |||
| + | One reason why this can happen is a deliberate attack. Just like an ordinary man-in-the-middle attack which substitutes a wrong host key, a particularly ambitious attacker might substitute an entire wrong certification authority, and hope that you connect anyway. | ||
| + | |||
| + | But it's also possible in some situations that this error might arise legitimately. For example, if your organisation's IT department has just rolled out a new CA key which you haven't yet entered in WinSCP's configuration, or if your CA configuration involves two overlapping domains, or something similar. | ||
| + | |||
| + | So, unfortunately, you'll have to work out what to do about it yourself: make an exception for this specific case, or abandon this connection and install a new CA key before trying again (if you're really sure you trust the CA), or edit your configuration in some other way, or just stop trying to use this server. | ||
| + | |||
| + | If you're convinced that this particular server is legitimate even though the CA is not one you trust, WinSCP will let you cache the certified host key, treating it in the same way as an uncertified one. Then that particular certificate will be accepted for future connections to this specific server, even though other certificates signed by the same CA will still be rejected.((&puttydoccite)) | ||
| ===== [[connection_refused]] Network error: Connection to "..." refused ===== | ===== [[connection_refused]] Network error: Connection to "..." refused ===== | ||
| You may get this message when connecting to a server for the following reasons: | You may get this message when connecting to a server for the following reasons: | ||
| + | * The server is down. Please talk to the server or network administrator. | ||
| * You are trying to use WinSCP for a purpose for which it is not designed. [[requirements|WinSCP needs]] an SSH or FTP server to be installed at the other end (on the machine you want to connect to). In particular, you cannot easily use it to connect to another Windows workstation, since Windows does not have an %%SSH%% or %%FTP%% server included by default. Please refer to the guide to [[guide_exchange|exchanging files over Internet]]. | * You are trying to use WinSCP for a purpose for which it is not designed. [[requirements|WinSCP needs]] an SSH or FTP server to be installed at the other end (on the machine you want to connect to). In particular, you cannot easily use it to connect to another Windows workstation, since Windows does not have an %%SSH%% or %%FTP%% server included by default. Please refer to the guide to [[guide_exchange|exchanging files over Internet]]. | ||
| * You are trying to use [[protocols|protocol]] that the server does not support. Particularly you are trying SFTP/SCP (over %%SSH%%), but the server supports %%FTP%%; or vice versa. Check selected protocol on [[ui_login#session_settings|Login dialog]]. Note that WinSCP defaults to %%SFTP%% protocol, while most other similar applications default to %%FTP%%. | * You are trying to use [[protocols|protocol]] that the server does not support. Particularly you are trying SFTP/SCP (over %%SSH%%), but the server supports %%FTP%%; or vice versa. Check selected protocol on [[ui_login#session_settings|Login dialog]]. Note that WinSCP defaults to %%SFTP%% protocol, while most other similar applications default to %%FTP%%. | ||
| * The server is running on a non-standard port. Please make sure you enter actual port number on [[ui_login|Login dialog]]. | * The server is running on a non-standard port. Please make sure you enter actual port number on [[ui_login|Login dialog]]. | ||
| * You may need to connect through a proxy server, but you have not specified one on //[[ui_login_proxy|Proxy page]]// of Advanced Site Settings dialog. | * You may need to connect through a proxy server, but you have not specified one on //[[ui_login_proxy|Proxy page]]// of Advanced Site Settings dialog. | ||
| - | * Connection was blocked by the firewall. Please refer to [[faq_connection_refused|FAQ]]. | + | * Connection was blocked by the firewall. Please refer to [[faq_connection_refused|*]] |
| Line 55: | Line 69: | ||
| ===== [[connection_timed_out]] Network error: Connection to "..." timed out ===== | ===== [[connection_timed_out]] Network error: Connection to "..." timed out ===== | ||
| + | All reasons and hints for [[message_connection_refused|"Network error: Connection refused"]] apply to this error too. | ||
| + | |||
| + | ===== [[connection_pemission_denied]] Network error: Permission denied ===== | ||
| All reasons and hints for [[message_connection_refused|"Network error: Connection refused"]] apply to this error too. | All reasons and hints for [[message_connection_refused|"Network error: Connection refused"]] apply to this error too. | ||
| Line 182: | Line 199: | ||
| To disable the stateful %%FTP%% filtering, in an Administrator command prompt, execute following command: | To disable the stateful %%FTP%% filtering, in an Administrator command prompt, execute following command: | ||
| - | <code> | + | <code batch> |
| - | netsh advfirewall set global StatefulFTP disable | + | netsh advfirewall <nohilite>set</nohilite> global StatefulFTP disable |
| </code> | </code> | ||
| Line 386: | Line 403: | ||
| * There's antivirus (or similar application) that starts inspecting the uploaded file, locking it while doing that, what conflicts with WinSCP attempt to rename the file. | * There's antivirus (or similar application) that starts inspecting the uploaded file, locking it while doing that, what conflicts with WinSCP attempt to rename the file. | ||
| - | To circumvent that, disable [[ui_pref_resume|transfer resume/transfer to temporary filename]]. | + | To circumvent that, disable transfer resume/transfer to temporary filename. |
| + | |||
| + | * In GUI, go to [[ui_pref_resume|//Preferences > Transfer > Endurance//]] and disable [[ui_pref_resume#temporary|//Transfer Resume / Transfer to Temporary Filename//]]. | ||
| + | * In scripting, use [[scriptcommand_put#resumesupport|''-resumesupport=off'' with ''put'' command]] (or other command that triggered the upload). | ||
| + | * In .NET assembly, use ''[[library_transferoptions#resumesupport|TransferOptions.ResumeSupport]]'' property. | ||
| ===== [[preserve_time_perm]] Upload of file .. was successful, but error occurred while setting the permissions and/or timestamp. If the problem persists, turn off setting permissions or preserving timestamp. Alternatively you can turn on 'Ignore permission errors' option. ===== | ===== [[preserve_time_perm]] Upload of file .. was successful, but error occurred while setting the permissions and/or timestamp. If the problem persists, turn off setting permissions or preserving timestamp. Alternatively you can turn on 'Ignore permission errors' option. ===== | ||
| Line 402: | Line 423: | ||
| When using [[scripting]], add [[scriptcommand_put#nopreservetime|''-nopreservetime'' switch]] to [[scriptcommand_put|''put'' command]]. If you are not running scripting with [[scripting#configuration|default isolated configuration]], you may also need to add [[scriptcommand_put#nopermissions|''-nopermissions'' switch]] (what is the default settings). | When using [[scripting]], add [[scriptcommand_put#nopreservetime|''-nopreservetime'' switch]] to [[scriptcommand_put|''put'' command]]. If you are not running scripting with [[scripting#configuration|default isolated configuration]], you may also need to add [[scriptcommand_put#nopermissions|''-nopermissions'' switch]] (what is the default settings). | ||
| - | With [[scriptcommand_synchronize|''synchronize'' command]], this works only when ''[[scriptcommand_synchronize#criteria|-criteria]]'' is ''none'' or ''size'' and it never works in ''both'' mode. | + | With [[scriptcommand_synchronize|''synchronize'' command]], this works only when ''[[scriptcommand_synchronize#criteria|-criteria]]'' lacks ''time'' and it never works in ''both'' mode. |
| ==== [[library]] .NET Assembly ==== | ==== [[library]] .NET Assembly ==== | ||
| Line 426: | Line 447: | ||
| </code> | </code> | ||
| - | With [[library_session_synchronizedirectories|''Session.SynchronizeDirectories'']], this works only when ''criteria'' parameter is ''SynchronizationCriteria.None'' or ''SynchronizationCriteria.Size'' and it never works when ''mode'' parameter is ''SynchronizationMode.Both'' (learn [[library_powershell#enums|enumeration syntax]] in PowerShell). | + | With [[library_session_synchronizedirectories|''Session.SynchronizeDirectories'']], this works only when ''criteria'' parameter lacks ''SynchronizationCriteria.Time'' and it never works when ''mode'' parameter is ''SynchronizationMode.Both'' (learn [[library_powershell#enums|enumeration syntax]] in PowerShell). |
| ==== In Other Languages ==== | ==== In Other Languages ==== | ||
| Line 525: | Line 546: | ||
| Though as with the most of session settings, if you have the site set up in WinSCP GUI, you can have it [[ui_generateurl#code|generate a code template]] for you, including the ''SessionOptions.SshHostKeyFingerprint''. | Though as with the most of session settings, if you have the site set up in WinSCP GUI, you can have it [[ui_generateurl#code|generate a code template]] for you, including the ''SessionOptions.SshHostKeyFingerprint''. | ||
| + | |||
| + | ===== [[method_not_found_eventwaithandle]] Method not found: 'Void System.Threading.EventWaitHandle..ctor(...)' ===== | ||
| + | |||
| + | Full message: | ||
| + | |||
| + | > Method not found: ‘Void System.Threading.EventWaitHandle..ctor(Boolean, System.Threading.EventResetMode, System.String, Boolean ByRef, System.Security.AccessControl.EventWaitHandleSecurity)’ | ||
| + | |||
| + | The exception can be represented as ''MethodInvocationException'' or ''MissingMethodException''. | ||
| + | |||
| + | The exception occurs, when you are trying to use .NET Framework build of the assembly in .NET [Core] code or from PowerShell [Core]. | ||
| + | |||
| + | You need to use .NET Standard build of the assembly, which is located in the ''netstandard2.0'' subfolder of ''WinSCP-X.X.X-Automation.zip'' package. | ||
| + | |||
| + | For details, learn about [[library_install#installing|installing the assembly]]. | ||
| ===== [[key_fingerprint_does_not_match]] SSH host key/TLS host certificate fingerprint "..." does not match pattern "..." ===== | ===== [[key_fingerprint_does_not_match]] SSH host key/TLS host certificate fingerprint "..." does not match pattern "..." ===== | ||
| Line 530: | Line 565: | ||
| You get these errors, when the SSH host key fingerprint provided to [[library_sessionoptions#sshhostkeyfingerprint|''SessionOptions.SshHostKeyFingerprint'']] or TLS host certificate fingerprint provided to [[library_sessionoptions#tlshostcertificatefingerprint|''SessionOptions.TlsHostCertificateFingerprint'']] have a wrong format. | You get these errors, when the SSH host key fingerprint provided to [[library_sessionoptions#sshhostkeyfingerprint|''SessionOptions.SshHostKeyFingerprint'']] or TLS host certificate fingerprint provided to [[library_sessionoptions#tlshostcertificatefingerprint|''SessionOptions.TlsHostCertificateFingerprint'']] have a wrong format. | ||
| - | (In [[library_powershell|PowerShell]], when setting the properties via ''-Property'' switch of [[https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object|''New-Object'' cmdlet]], the error is disguised as //"The value supplied is not valid, or the property is read-only. Change the value, and then try again."//) | + | (In [[library_powershell|PowerShell]], when setting the properties via ''-Property'' switch of [[https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object|''New-Object'' cmdlet]], the error is disguised by PowerShell as //"The value supplied is not valid, or the property is read-only. Change the value, and then try again."//) |
| Examples of the correct format of the fingerprints: | Examples of the correct format of the fingerprints: | ||
| Line 541: | Line 576: | ||
| Also make sure you use the same version (ideally the latest) of WinSCP both for obtaining the fingerprint in WinSCP GUI and using the fingerprint in WinSCP .NET assembly. Older versions do not support modern SHA-256 fingerprints. So the fingerprint formats may be incompatible (and less safe). | Also make sure you use the same version (ideally the latest) of WinSCP both for obtaining the fingerprint in WinSCP GUI and using the fingerprint in WinSCP .NET assembly. Older versions do not support modern SHA-256 fingerprints. So the fingerprint formats may be incompatible (and less safe). | ||
| - | A common mistake is to substitute ''SessionOptions.TlsHostCertificateFingerprint'' with ''SessionOptions.SshHostKeyFingerprint'' (or vice versa). The SSH host key is used with SSH-based protocols SFTP and FTP. The TLS host certificate is used with SSL-based protocols FTPS and WebDAVS. | + | A common mistake is to substitute ''SessionOptions.TlsHostCertificateFingerprint'' with ''SessionOptions.SshHostKeyFingerprint'' (or vice versa). The SSH host key is used with SSH-based protocols SFTP and FTP. The TLS host certificate is used with SSL-based protocols FTPS, WebDAVS and S3. |
| ===== [[path_slash_ambiguous]] Selecting files using a path ending with slash is ambiguous. Remove the slash to select the folder. Append * mask to select all files in the folder. ===== | ===== [[path_slash_ambiguous]] Selecting files using a path ending with slash is ambiguous. Remove the slash to select the folder. Append * mask to select all files in the folder. ===== | ||