Differences
This shows you the differences between the selected revisions of the page.
| messages 2023-10-10 | messages 2024-05-14 (current) | ||
| Line 12: | Line 12: | ||
| If you see this message, it means that WinSCP has not seen this host key before, and has no way of knowing whether it is correct or not. You should attempt to verify the host key by other means, such as asking the machine's administrator. ((&puttydoccite)) | If you see this message, it means that WinSCP has not seen this host key before, and has no way of knowing whether it is correct or not. You should attempt to verify the host key by other means, such as asking the machine's administrator. ((&puttydoccite)) | ||
| - | If the [[faq_hostkey|host key fingerprint is correct]], press //Accept// (//Yes// in the latest stable version). &beta The host key will be stored to cache and you will not be prompted the next time. If you are unsure, want to defer a host key verification until later, but still need to connect now (taking a risk), select //Connect Once// in the down-menu of the //Accept// button (//No// button in the stable version). &beta The host key will not be cached and you will be prompted again the next time. If the fingerprint is not correct or if you do not know the correct fingerprint, press //Cancel// to abort connection. | + | If the [[faq_hostkey|host key fingerprint is correct]], press //Accept// (//Yes// in the older versions). &recent The host key will be stored to cache and you will not be prompted the next time. If you are unsure, want to defer a host key verification until later, but still need to connect now (taking a risk), select //Connect Once// in the down-menu of the //Accept// button (//No// button in the older versions). &recent The host key will not be cached and you will be prompted again the next time. If the fingerprint is not correct or if you do not know the correct fingerprint, press //Cancel// to abort connection. |
| - | If you have the correct host key (or its fingerprint) in a digital form, instead of checking the fingerprint manually, you can select //Paste Key// in drop-down menu of //Accept// (//Yes//) &beta button to have WinSCP compare the fingerprint for you, against a fingerprint or a full key stored in the clipboard. The clipboard can contain an %%SHA-256%% or %%MD5%% fingerprint or a full key in ''.pub'' format. | + | If you have the correct host key (or its fingerprint) in a digital form, instead of checking the fingerprint manually, you can select //Paste Key// in drop-down menu of //Accept// (//Yes//) &recent button to have WinSCP compare the fingerprint for you, against a fingerprint or a full key stored in the clipboard. The clipboard can contain an %%SHA-256%% or %%MD5%% fingerprint or a full key in ''.pub'' format. |
| Use //Copy key fingerprints to clipboard// link to copy key fingerprints to clipboard (both in %%SHA-256%% format seen on the message and additionally in %%MD5%% format). | Use //Copy key fingerprints to clipboard// link to copy key fingerprints to clipboard (both in %%SHA-256%% format seen on the message and additionally in %%MD5%% format). | ||
| Line 23: | Line 23: | ||
| ===== [[security_breach]] Warning -- Potential security breach! ===== | ===== [[security_breach]] Warning -- Potential security breach! ===== | ||
| - | This message, followed by "The server's host key does not match the one WinSCP has in cache", means that WinSCP has connected to the SSH server before, knows what its host key should be, but has found a different one.· | + | This message, followed by //"The server's host key does not match the one WinSCP has in cache"//, means that WinSCP has connected to the SSH server before, knows what its host key should be, but has found a different one. |
| - | This may mean that a malicious attacker has replaced your server with a different one, or has redirected your network connection to their own machine. On the other hand, it may simply mean that the administrator of your server has accidentally changed the key while upgrading the SSH software; this shouldn't happen but it is unfortunately possible. Another legitimate reason for the host key change is that the address, you are connecting to, load balances to a set of SSH servers. If that's the case, use //Add// button to build a list of known host keys, instead of using //Update//. | + | You might also get the message, when you have configured WinSCP to trust a certification authority for signing host keys but the actual host key is signed by a different authority. For this scenario follow [[#certified|further below]]. |
| + | |||
| + | ==== Plain Host key ==== | ||
| + | |||
| + | The message may mean that a malicious attacker has replaced your server with a different one, or has redirected your network connection to their own machine. On the other hand, it may simply mean that the administrator of your server has accidentally changed the key while upgrading the SSH software; this shouldn't happen but it is unfortunately possible. Another legitimate reason for the host key change is that the address, you are connecting to, load balances to a set of SSH servers. If that's the case, select //Add// to build a list of known host keys, instead of using //Update//. | ||
| You should contact your server's administrator and see whether they expect the host key to have changed. If so, verify the new host key in the same way as you would if it was new. ((&puttydoccite)) | You should contact your server's administrator and see whether they expect the host key to have changed. If so, verify the new host key in the same way as you would if it was new. ((&puttydoccite)) | ||
| Read more about [[ssh_verifying_the_host_key|verifying host keys]]. | Read more about [[ssh_verifying_the_host_key|verifying host keys]]. | ||
| + | |||
| + | ==== [[certified]] Certified Host key ==== | ||
| + | |||
| + | If you've configured WinSCP to trust at least one [[ui_pref_security#authorities|certification authority for signing host keys]], then it will ask the SSH server to send it any available certified host keys. If the server sends back a certified key signed by a different certification authority, WinSCP will present this variant of the host key prompt. | ||
| + | |||
| + | One reason why this can happen is a deliberate attack. Just like an ordinary man-in-the-middle attack which substitutes a wrong host key, a particularly ambitious attacker might substitute an entire wrong certification authority, and hope that you connect anyway. | ||
| + | |||
| + | But it's also possible in some situations that this error might arise legitimately. For example, if your organisation's IT department has just rolled out a new CA key which you haven't yet entered in WinSCP's configuration, or if your CA configuration involves two overlapping domains, or something similar. | ||
| + | |||
| + | So, unfortunately, you'll have to work out what to do about it yourself: make an exception for this specific case, or abandon this connection and install a new CA key before trying again (if you're really sure you trust the CA), or edit your configuration in some other way, or just stop trying to use this server. | ||
| + | |||
| + | If you're convinced that this particular server is legitimate even though the CA is not one you trust, WinSCP will let you cache the certified host key, treating it in the same way as an uncertified one. Then that particular certificate will be accepted for future connections to this specific server, even though other certificates signed by the same CA will still be rejected.((&puttydoccite)) | ||
| ===== [[connection_refused]] Network error: Connection to "..." refused ===== | ===== [[connection_refused]] Network error: Connection to "..." refused ===== | ||
| Line 179: | Line 195: | ||
| To disable the stateful %%FTP%% filtering, in an Administrator command prompt, execute following command: | To disable the stateful %%FTP%% filtering, in an Administrator command prompt, execute following command: | ||
| - | <code> | + | <code batch> |
| - | netsh advfirewall set global StatefulFTP disable | + | netsh advfirewall <nohilite>set</nohilite> global StatefulFTP disable |
| </code> | </code> | ||
| Line 383: | Line 399: | ||
| * There's antivirus (or similar application) that starts inspecting the uploaded file, locking it while doing that, what conflicts with WinSCP attempt to rename the file. | * There's antivirus (or similar application) that starts inspecting the uploaded file, locking it while doing that, what conflicts with WinSCP attempt to rename the file. | ||
| - | To circumvent that, disable [[ui_pref_resume|transfer resume/transfer to temporary filename]]. | + | To circumvent that, disable transfer resume/transfer to temporary filename. |
| + | |||
| + | * In GUI, go to [[ui_pref_resume|//Preferences > Transfer > Endurance//]] and disable [[ui_pref_resume#temporary|//Transfer Resume / Transfer to Temporary Filename//]]. | ||
| + | * In scripting, use [[scriptcommand_put#resumesupport|''-resumesupport=off'' with ''put'' command]] (or other command that triggered the upload). | ||
| + | * In .NET assembly, use ''[[library_transferoptions#resumesupport|TransferOptions.ResumeSupport]]'' property. | ||
| ===== [[preserve_time_perm]] Upload of file .. was successful, but error occurred while setting the permissions and/or timestamp. If the problem persists, turn off setting permissions or preserving timestamp. Alternatively you can turn on 'Ignore permission errors' option. ===== | ===== [[preserve_time_perm]] Upload of file .. was successful, but error occurred while setting the permissions and/or timestamp. If the problem persists, turn off setting permissions or preserving timestamp. Alternatively you can turn on 'Ignore permission errors' option. ===== | ||
| Line 399: | Line 419: | ||
| When using [[scripting]], add [[scriptcommand_put#nopreservetime|''-nopreservetime'' switch]] to [[scriptcommand_put|''put'' command]]. If you are not running scripting with [[scripting#configuration|default isolated configuration]], you may also need to add [[scriptcommand_put#nopermissions|''-nopermissions'' switch]] (what is the default settings). | When using [[scripting]], add [[scriptcommand_put#nopreservetime|''-nopreservetime'' switch]] to [[scriptcommand_put|''put'' command]]. If you are not running scripting with [[scripting#configuration|default isolated configuration]], you may also need to add [[scriptcommand_put#nopermissions|''-nopermissions'' switch]] (what is the default settings). | ||
| - | With [[scriptcommand_synchronize|''synchronize'' command]], this works only when ''[[scriptcommand_synchronize#criteria|-criteria]]'' is ''none'' or ''size'' and it never works in ''both'' mode. | + | With [[scriptcommand_synchronize|''synchronize'' command]], this works only when ''[[scriptcommand_synchronize#criteria|-criteria]]'' lacks ''time'' and it never works in ''both'' mode. |
| ==== [[library]] .NET Assembly ==== | ==== [[library]] .NET Assembly ==== | ||
| Line 423: | Line 443: | ||
| </code> | </code> | ||
| - | With [[library_session_synchronizedirectories|''Session.SynchronizeDirectories'']], this works only when ''criteria'' parameter is ''SynchronizationCriteria.None'' or ''SynchronizationCriteria.Size'' and it never works when ''mode'' parameter is ''SynchronizationMode.Both'' (learn [[library_powershell#enums|enumeration syntax]] in PowerShell). | + | With [[library_session_synchronizedirectories|''Session.SynchronizeDirectories'']], this works only when ''criteria'' parameter lacks ''SynchronizationCriteria.Time'' and it never works when ''mode'' parameter is ''SynchronizationMode.Both'' (learn [[library_powershell#enums|enumeration syntax]] in PowerShell). |
| ==== In Other Languages ==== | ==== In Other Languages ==== | ||
| Line 522: | Line 542: | ||
| Though as with the most of session settings, if you have the site set up in WinSCP GUI, you can have it [[ui_generateurl#code|generate a code template]] for you, including the ''SessionOptions.SshHostKeyFingerprint''. | Though as with the most of session settings, if you have the site set up in WinSCP GUI, you can have it [[ui_generateurl#code|generate a code template]] for you, including the ''SessionOptions.SshHostKeyFingerprint''. | ||
| + | |||
| + | ===== [[method_not_found_eventwaithandle]] Method not found: 'Void System.Threading.EventWaitHandle..ctor(...)' ===== | ||
| + | |||
| + | Full message: | ||
| + | |||
| + | > Method not found: ‘Void System.Threading.EventWaitHandle..ctor(Boolean, System.Threading.EventResetMode, System.String, Boolean ByRef, System.Security.AccessControl.EventWaitHandleSecurity)’ | ||
| + | |||
| + | The exception can be represented as ''MethodInvocationException'' or ''MissingMethodException''. | ||
| + | |||
| + | The exception occurs, when you are trying to use .NET Framework build of the assembly in .NET [Core] code or from PowerShell [Core]. | ||
| + | |||
| + | You need to use .NET Standard build of the assembly, which is located in the ''netstandard2.0'' subfolder of ''WinSCP-X.X.X-Automation.zip'' package. | ||
| + | |||
| + | For details, learn about [[library_install#installing|installing the assembly]]. | ||
| ===== [[key_fingerprint_does_not_match]] SSH host key/TLS host certificate fingerprint "..." does not match pattern "..." ===== | ===== [[key_fingerprint_does_not_match]] SSH host key/TLS host certificate fingerprint "..." does not match pattern "..." ===== | ||