Automation of SFTP script when key has passphrase

Advertisement

jamescollett
Joined:
Posts:
11
Location:
UK

Automation of SFTP script when key has passphrase

My objective is to call some SFTP scripts from SSIS packages, but so far I am experimenting with just running a script from a DOS command window. My example does a simple put from my Windows XP Pro workstation (with WinSCP installed) to another Windows XP workstation with OpenSSH installed.

I am using RSA private/public key encryption.

When I set up the keys, I entered a passphrase, because I understand that this is good practice.

However, when I run the script, the SFTP program prompts for the passphrase to complete the authorisation. I see no way to include the passphrase in a flag in the open command. This makes the process non-automated because it requires user interaction.

Additionally, sometimes I find that I must execute the script *twice* in order for the little text file to be copied from my PC to the remote PC. This seems wrong.

I should be grateful for assistance.

Reply with quote

Advertisement

jamescollett
Joined:
Posts:
11
Location:
UK

automation of SFTP script when key has passphrase - answer?

I found the following page in the FAQ collection, entitled, "How can I connect without entering private key passphrase each time?"
https://winscp.net/eng/docs/faq_passphrase

If I understand this FAQ entry correctly, it would appear that what I was trying to do will not work with WinSCP; so the answer is to work without a passphrase or to use a different SSH FTP client.

Is this correct?

Reply with quote

lsager
Joined:
Posts:
5
Location:
Austin, TX

automation of SFTP script when key has passphrase

I am also curious about the automatic sending of files. I had a similar experience where I scheduled a task using winscp but the process was definitely not automatic because I had to enter my password everytime the task ran. Is there a way to send the password? Would using a batch command allow me to send the password? I am not too worried about security in my instance. I read what was posted by the others and I am led to believe it cannot be done with WinSCP. I am trying the public/private key approach but cannot seem to get it to work yet.

Please let me know your thoughts and ideas.

Thank you in advance for your help.

Reply with quote

Advertisement

lsager
Joined:
Posts:
5
Location:
Austin, TX

automation of SFTP script when key has passphrase

In the article:
How can I connect without entering private key passphrase each time?
I saw the following:
The best solution is to use authentication agent, so that you enter the passphrase only once.
If you need to avoid entering the passphrase to automate a task (such as with scripting) and using authentication agent is not suitable for you, you can store the key unprotected (without an passphrase). Note that this imposes security risk, if someone gains access to the key.
How do I store the key unprotected?

Thanks for your help.

Reply with quote

jamescollett
Joined:
Posts:
11
Location:
UK

working now

@martin, thank you for clarifying the situation for me. I have got this working quite well now.

Isager asked: "How do I store the key unprotected?"

When you create a private key, you can add extra security into the mix by defining a passphrase (this is not the password of a user). This passphrase must be supplied by the user when you make a connexion to the SSH server (unless you use the authentication agent thing - which I have no experience of).

This means that if you want to build an unattended solution using WinSCP you cannot also have a passphrase built into your private key; if you do, you will have to physically enter it interactively. So I simply accepted the reduced level of security and left the passphrase out of process of generating the key pair.

I hope this helps.

Reply with quote

lsager
Joined:
Posts:
5
Location:
Austin, TX

automation of SFTP script when key has passphrase

Thank you so much for responding so quickly.
I think I did what you suggested in your reply. I left the passphrase out when generating the key.

I think my additional difficulty may be in where to put the public key on the server. My sftp server is windows. I do not have a .ssh directory nor can I create one.

What exactly do I have to do to put the public key out on the sftp server? I thought I just copied and pasted the key into the authenticate_keys file but I am unclear on the process.

Do I have to be running Pageant for this to work?

Please give me as many details as you can. I really appreciate your help.

Thanks.

Reply with quote

jamescollett
Joined:
Posts:
11
Location:
UK

My dev & test platform is also a Windows environment. I was unable to get a version of SSH for Windows to instal on Windows Server 2003, which was my preferred method, and I have since found out that there are issues with Windows Server 2003, so I ended up using two Windows XP boxes for my development. One acts as the SSH server and one is the client running SFTP/WinSCP.

You have to instal OpenSSH or some other implementation of SSH for Windows on the machine that is to act as the SSH server.

I also could not create a folder called .ssh but I was able to create a folder called SSH within the home folder of the user I used, i.e. C:\Documents and Settings\UserOne\SSH. Inside the SSH folder I put the public key file, called authorized_keys if I remember correctly. This file contains one of more public keys. You should keep your private key file(s) on your client machines.

You have to do a bunch of setup steps with SSH to include users that can be accessed by your client piece. You end up creating a groups file and a password file. The users that you add must correspond to users on the machine or users on the domain. Setting up SSH is a subject in itself and I did the bare minimum, just to get a test scenario running, since in production the SSH part is not my responsibility.

I do not run pageant in my solution so I cannot comment on its use.

Reply with quote

Advertisement

lsager
Joined:
Posts:
5
Location:
Austin, TX

automation of SFTP script when key has passphrase

An odd thing occurred today.
I got the automatic transfer to work without using private and public keys.
What was causing my particular problem was the following line of my script.
Open LauraTest@74.201.223.163
LauraTest is the session I created in WinSCP.
When I took out the @74.201.555.689 from the open statement, it no longer asked me for a password. I have the password saved in my session, LauraTest. I think it may have to do with the host key expecting just LauraTest and not finding a match on LauraTest@74.201.555.689.

Now, when I run my scheduled task, it runs perfectly without any requests for password.

Case closed. Thanks for your help.

Reply with quote

nickg
Guest

passwordless dos batch script

@lsager, when you say you have your password saved in your session LauraTest, do you mean an .ini file? I am trying what you suggested but it is not working for me. When I put the actual password in my .ini file, it appears to connect but says "access denied. authentication failed."

Reply with quote

Advertisement

danis
Joined:
Posts:
8

Hi @martin,
me personally – no!
But my company said, maybe they want to use passphrases for the Private Keys in future.
And then my script is not useful anymore :(

Reply with quote

Cabritone
Guest

Yeah,
I need to use passphrases for the Private Keys, and whould be great if WinSCP support that !!
Meanwhile I have to use a different client :( and change all my scripts !

Reply with quote

Advertisement

Ganeshgopu
Guest

Scripting for Passphrase

Hi @martin,

As from the post I could understand that your working for a script to include the passphrase. (fully automated script)

Could you please update when we can be able to get the latest fully automated script?

Thanks in advance.

Reply with quote

Jam3
Guest

martin wrote:

As stated in the FAQ below, I do not see a benefit of that. Do you see any?
https://winscp.net/eng/docs/faq_passphrase
I just wanted to point out that the benefit is that you can store the passphrase inside a SSIS variable and msdb configuration table which can be encrypted. This means pageant doesn't have to be up and running the entire time on a server invoking a SSIS package using pscp/winscp and a private key with passphrase. Another option would be to add a switch to pageant for the passphrase, this would be an extra step in a SSIS package, but would also allow for pageant to not always be running (giving anyone with server access key access) and for the passphrase to be stored/protected in a SSIS package.

Reply with quote

ItsMeDattu
Guest

Re: automation of SFTP script when key has passphrase - answer?

There is a way to connect to sftp which has key and passphrase. We can create a session on winscp and we can use the session name to connect to that sftp . Please find the syntax below.
open <session name created in winscp>
It wont ask for passphrase if you save passphrase for the same.

Reply with quote

Advertisement

moises
Guest

automation of SFTP script when key has passphrase

Hello,

I found a solution and I hope will be helpful.

In the Process Task that execute the WinSCP.com you can send the passphrase with the property "StandarInputVariable".

Reply with quote

Fadi
Guest

Re: automation of SFTP script when key has passphrase

@moises: can you please explain this option more. I am in need to automate with passphrase for my key and running out of options. I really hope this option is added.
Fadi

Reply with quote

Speedster
Guest

Where is passphrase field/option on WinSCP Login screen

Hi – I just updated WinSCP from something like 5.1 to 5.5 and can no longer locate where to tell the program to use a passphrase instead of a password. Where can I tell winscp to please check a passphrase before logging in? I don't see a field before clicking login, nor in the advanced options. Is this option to use a passphrase for a key really gone?
Thanks!

Reply with quote

techmd
Guest

Re: Where is passphrase field/option on WinSCP Login screen

@Speedster: It's a bit convoluted in this version mainly because it seems that WinSCP would prefer people to use Pageant to hold the information. To bypass the password as well as the Pageant defaults, on the login screen click Advanced, then Authentication (under SSH), unclick the Pageant option and also pull up the private key file. Could anyone explain what are the pos/neg of having Pageant remember the private key file instead?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,596
Location:
Prague, Czechia

Re: Where is passphrase field/option on WinSCP Login screen

techmd wrote:

It's a bit convoluted in this version mainly because it seems that Winscp would prefer people to use Pageant to hold the information.
Why do you think so?

To bypass the password as well as the Pageant defaults, on the login screen click Advanced, then Authentication (under SSH), unclick the Pageant option and also pull up the private key file. Could anyone explain what are the pos/neg of having Pageant remember the private key file instead?
See https://winscp.net/eng/docs/ui_pageant#security_considerations

Reply with quote

Advertisement

You can post new topics in this forum