Host key wasn't verified

Advertisement

kuku17
Joined:
Posts:
3

Host key wasn't verified

Hello,
We are using WinSCP v5.5.6.
One of our clients is moving from FTP to SFTP and for that they have generated a new RSA key pair.
When trying to connect to said client's SFTP server via WinSCP's GUI (or FileZilla) using the new Private Key, the connection is established successfully, however when connecting via .NET the program throws an error stating "Host key wasn't verified!" and the inner exception is "The server's rsa2 key fingerprint is: ssh-rsa 2048 xx:xx:...".
The fingerprint that we are sending is "ssh-rsa 1024 xx:xx:...".

The old keys before were indeed in size 2k, but the newly generated keys are in 1k, so why does WinSCP still think we are sending the old fingerprint? Does it store the old fingerprint somewhere in its cache or registry? and if so, how can we remove them? We tried using the Clean-Up option in the GUI but that did not help.
This is our batch:
try {
  string sFile = ConfigurationManager.AppSettings["sFile"];
  string sFolder = ConfigurationManager.AppSettings["sFolder"];
  string sftpHostName = ConfigurationManager.AppSettings["sftpHostName"];
  string sPort = ConfigurationManager.AppSettings["sPort"];
  string sUserName = ConfigurationManager.AppSettings["sUserName"];
  string sPassword = ConfigurationManager.AppSettings["sPassword"];
  string HostKeyFingerprint = ConfigurationManager.AppSettings["HostKeyFingerprint"];
  string sessionLogPath = ConfigurationManager.AppSettings["sessionLogPath"];
  string sshPrivateKeyPath = ConfigurationManager.AppSettings["sshPrivateKeyPath"];
 
  SessionOptions sessionOptions = new SessionOptions();
  sessionOptions.Protocol = Protocol.Sftp;
  sessionOptions.FtpMode = FtpMode.Passive;
  sessionOptions.HostName = sftpHostName;
  sessionOptions.UserName = sUserName;
  //  sessionOptions.Password = sPassword;
  sessionOptions.SshHostKeyFingerprint = HostKeyFingerprint;
  sessionOptions.SshPrivateKeyPath = sshPrivateKeyPath;
  sessionOptions.PortNumber = int.Parse(sPort);
 
  using (Session session = new Session())
  {
      session.SessionLogPath = sessionLogPath + "\\log.txt";
      Console.WriteLine("Starting Session...");
 
      session.Open(sessionOptions);
 
      Console.WriteLine("Session Opened");
 
      // Upload files
      TransferOptions transferOptions = new TransferOptions();
      transferOptions.TransferMode = TransferMode.Binary;
      Console.WriteLine("Putting Files in remote folder started");
      TransferOperationResult transferResult = session.PutFiles(sFile, sFolder, false, transferOptions);
      transferResult.Check();
 
      Console.WriteLine("Putting Files in remote folder ended");
      // Print results
      foreach (TransferEventArgs transfer in transferResult.Transfers)
      {
          Console.WriteLine(string.Format("Upload of {0} in secure ftp to {1} folder:{2} succeeded", transfer.FileName, sftpHostName, sFolder));
      }
      Console.ReadKey();
  }
}
catch (Exception e)
{
   Console.WriteLine("Exception occurred: " + e.Message);
   Console.WriteLine("Inner Exception: " + e.InnerException?.Message);
   Console.ReadKey();
}

As you can see we are not using the password but instead we are supplying the Private Key path.
So how is it possible that when we use the GUI to connect (username & PK path) it works fine, yet when we use the assembly, using the exact same username & PK path, it throws an error? Because of that , we cannot determine if the error is on our end, or on our client's.

P.S. Since we are using the old WinSCP version we are using the fingerprint as MD5 , not as SHA256. Also , the newly generated pair was generated with the old version of PuTTyGen (PPK 2), since PPK 3 would result in "putty key format too new" error message.

Thank you

Reply with quote

Advertisement

kuku17
Joined:
Posts:
3

Thank you Martin for your answer.
With your permission I'd like to clarify a few things, just to make sure I understand it all.

The new key pair our IT guy has generated on our local machine is the User key pair, yes? We need to store the User private key on our local machine and send its public key to the remote server, correct?

The remote server needs to also generate a Host key pair, keep its private key on its local machine and send us its public key, right? We then need to connect to the remote server using the username (without a password) , our User private key path and the fingerprint of the Host public key.

Did I understand all of this correctly?

Also, are generated key pairs machine-bound? For example, if our IT guy has generated a key pair on one local server , is it safe to move them to another local server?

Thank you again.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,454
Location:
Prague, Czechia

kuku17 wrote:

The new key pair our IT guy has generated on our local machine is the User key pair, yes?
I assume so. But I cannot know that.

The remote server needs to also generate a Host key pair, keep its private key on its local machine and send us its public key, right? We then need to connect to the remote server using the username (without a password) , our User private key path and the fingerprint of the Host public key.
Yes.

Also, are generated key pairs machine-bound? For example, if our IT guy has generated a key pair on one local server , is it safe to move them to another local server?
If by local server, you mean the local machine, where you connect from, and by key you mean the user authentication key, then yes.

Reply with quote

Advertisement

You can post new topics in this forum