Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

TalaatHarb

explanation and a solution - sort of.

Hi Martin,

I'll try to explain better.
A friend who is a lot smarter than me gave me a hint what is not working and then I found out at least a partial "solution".

Answer #1
When I connect to the jumphost, a key is added to pageant.
This is the key that allows me to ssh to remote servers. So it is working there.
It is also used when I connect via WinSCP.

Note: I realize now, that on every new session to the jumphost I have to enter my password.
For connection to the jumphost no key is used...I have to check why.

Answer #2
Yes, I do not enter a password. But as I realized now, a password is somewhere requested.
But I am not prompted, because plink, called by PuTTY, does not know how to ask me.
In the verbose output I see some password is sent.

Answer #3:
The behaviour with direct plink call is that the verbose output is the same, i.e. the keys are tried but none is accepted.
The difference is, that plink interactively called, requests my password for the jumphost and the connection is established


Answer #4:

I thought the password in PuTTYs proxy settings is the one being used.




Partial Solution:
After I go the hint to check where the password is requested I came across plink option "-pw %pass ".
With this option in the local proxy command and the password in the password field the connection through the proxy works.



Hooray!

I do not like to enter the password in the proxy settings, I would like to get key authentication working.
But now, at least, I have something that works.

Thank you for your help,
regards
martin

Re: ...damn

Sorry I'm lost.

after adding "-v" to the plink I see that the server refuses my key.
What key? Does that key work anywhere?

...and the authentication with password is not working.

What password? I do not see you specify password anywhere.

If call plink from the comand line, behaviour is the same

Same as what?

The PuTTY connection does not prompt for the password; I assume the one in the settings is used

What settings? PuTTY does not have any setting for a password. What does the event log say about the authentication?
TalaatHarb

...damn

Hi,

after adding "-v" to the plink I see that the server refuses my key. 

Starting local proxy command: plink -v -agent -ssh -A user@10.26.238.34 -P 22 -nc 10.82.126.13:22

proxy: Looking up host "10.26.238.34" for SSH connection

proxy: Connecting to 10.26.238.34 port 22

proxy: We claim version: SSH-2.0-PuTTY_Release_0.73

proxy: Remote version: SSH-2.0-OpenSSH_5.3

proxy: We believe remote version has SSH-2 channel request bug

proxy: Using SSH protocol version 2

proxy: No GSSAPI security context available

proxy: Doing Diffie-Hellman group exchange

proxy: Doing Diffie-Hellman key exchange using 4096-bit modulus and hash SHA-256 (unaccelerated) with a server-supplied group

proxy: Host key fingerprint is:

proxy: ssh-rsa 2048 7b:b3:4b:52:23:b0:5b:ff:97:94:b4:17:cb:d0:0a:04

proxy: Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption

proxy: Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm

proxy: Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption

proxy: Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm

proxy: Pageant is running. Requesting keys.

proxy: Pageant has 1 SSH-2 keys

proxy: Using username "user".

proxy: Trying Pageant key #0

proxy: Server refused our key

proxy: Sent password

proxy: Password authentication failed

proxy: Access denied


...and the authentication with password is not working.

If call plink from the comand line, behaviour is the same: the password is requested and accepted: 
Sent password

Access granted

Access granted. Press Return to begin session.

Opening connection to 10.82.126.13:22 for main channel

Opened main channel

SSH-2.0-OpenSSH_7.4

[/code]


The PuTTY connection does not prompt for the password; I assume the one in the settings is used. I do not understand, why the password authentication fails.
If I duplicate the session to the jumphost (which I established in first place to get the key), I am always prompted for the password.

The plink call accecpts the password...

Now I am clueless, where to look to get this working.

Thank you very much for your help so far...If you have an idea, please let me know.



...and of course the connection to the destination server via WinSCP tunnel feature works w/o problems. Magic...


Regards
martin

Re: answer

Once you have connected once to jump box, and confirmed the host key, PuTTY should have cached it.
Now, if you use the local proxy command, it should not fail anymore due to the unverified host key.
TalaatHarb

Re: answer

martin wrote:

does the tunnel work or not?


sorry, I don't understand...
The ssh connection to the jumphost is established, I am logged on into the jumphost.
Windows netstat shows me the connection established.

If I understand it correctly, with the above command only the connection to the jumphost is estabished. How should I open the tunnel? Via command line ("-nc") or via another PuTTY session?

Using the settings posted as above as screen shots I get 
proxy: Access denied"


regards
martin

Re: answer

at first execution of plink I get:

...

...and then I am prompted for the password and can login.

OK, and once you have done that, does the tunnel work or not?
Guest

answer

Hi,

at first execution of plink I get: 

$ plink.exe a138949@10.26.238.34

The server's host key is not cached in the registry. You

have no guarantee that the server is the computer you

think it is.

The server's rsa2 key fingerprint is:

ssh-rsa 2048 7b:b3:4b:52:23:b0:5b:ff:97:94:b4:17:cb:d0:0a:04

If you trust this host, enter "y" to add the key to

PuTTY's cache and carry on connecting.

If you want to carry on connecting just once, without

adding the key to the cache, enter "n".

If you do not trust this host, press Return to abandon the

connection.

Store key in cache? (y/n) y


...and then I am prompted for the password and can login.
martin

Re: more info

If you run this:
plink.exe user@10.26.238.34
Do you get the host key prompt or not?
TalaatHarb

more info

Hi,

I use putty puttycac-64bit-0.73.zip from https://github.com/NoMoreFood/putty-cac/releases
Currently I connect to the jumphost. On the first connect a key is added to pageant.
From the jumphost I connect to the destination 
ssh -A -o StrictHostKeyChecking=no -o ServerAliveInterval=180 -o ServerAliveCountMax=3 user@host



Because I have many hosts behind the jumphost I'd prefer to create sessions in putty that automagically use the jumphost.....
Thank you for helping



So far I tried:


my session is shown in attachment s1.
A connecton should be opened to the destination machine which is behind a jumphost.

the proxy settings are shown in s2.
For proxyhost name i have entered the ip of the jumphost.
The proxy command is 
plink.exe %user@%proxyhost -P %proxyport  -nc %host:%port


When I open the connection, the output in the session window is: 
Starting local proxy command: plink.exe user@10.26.238.34 -P 22  -nc 10.82.126.13:22

proxy: The server's host key is not cached in the registry. You

proxy: have no guarantee that the server is the computer you

proxy: think it is.

proxy: The server's rsa2 key fingerprint is:

proxy: ssh-rsa 2048 7b:b3:4b:52:23:b0:5b:ff:97:94:b4:17:cb:d0:0a:04

proxy: If you trust this host, enter "y" to add the key to

proxy: PuTTY's cache and carry on connecting.

proxy: If you want to carry on connecting just once, without

proxy: adding the key to the cache, enter "n".

proxy: If you do not trust this host, press Return to abandon the

proxy: connection.


The same output is written to putty.log


I am not asked for my password on the jumphost.
Why do I get the warning about the serers host key?
martin

Re: tried, but

TalaatHarb wrote:

I tried using the example for puttys proxy setting w/o success

We will need more information about that.

so I tried to get the connection running with plink: 


$ plink.exe -ssh -agent -A user@jumphost -P 22 -nc  server:22

user@jumphost password:

Access granted. Press Return to begin session.

SSH-2.0-OpenSSH_7.4


and I never reach the destination server.

That's actually the expected behaviour. You cannot interactively use Plink executed with -nc. That can only be used by other applications.
TalaatHarb

tried, but

Hi,

thanks for the reply. I have the feeling I am pretty close to a solution...

I tried using the example for puttys proxy setting w/o success, so I tried to get the connection running with plink: 


$ plink.exe -ssh -agent -A user@jumphost -P 22 -nc  server:22

user@jumphost password:

Access granted. Press Return to begin session.

SSH-2.0-OpenSSH_7.4


and I never reach the destination server.
The authentication on the server is done by a key that is forwarded from the jumphost.

Using putty I am not prompted for the password on the jumphost and after replying to 

proxy: If you trust this host, enter "y" to add the key to

proxy: PuTTY's cache and carry on connecting.

proxy: If you want to carry on connecting just once, without

proxy: adding the key to the cache, enter "n".

proxy: If you do not trust this host, press Return to abandon the

proxy: connection.


with 'n' or 'y' nothing happens.

Can you please give me further advice.
Regards
TalaatHarb

connect via tunnel to a server: how does it work?

Hello,

around April 2018 I learned about the feature in advanced setting to connect through another host to my destination host via advanced settings: "Environment: SCP/Shell" and "Connection: Tunnel"
Together with "Integration: Applications" "Automatically open a new sessions in PuTTY"
this is the best thing i encountered since a long time :-) and use it regularly.

But, not always I do want to open a WinSCP session, instead just the remote shell via a tunnel.
Does someone know how I can achieve this with PuTTY (preferred) or maybe another tool? I guess the magic behind WinSCPs tunneling feature is done by ssh...

Any help appreciated, regards

Documentation

Support

Associations

Follow Us