Using Public Keys on many remote PCs



Using Public Keys on many remote PCs

I am trying to write a batch script using WinSCP to transfer files via SFTP. I have about 50 remote PCs that act as a server for an inside network at offsite locations. Each of these servers can have anywhere from 1 to 8 clients on it. These clients run schtasks overnight, one of which is a batch file that gets and puts several different files to/from the Server. Currently, they use FTP. I now need to re-write the FTP part of the batch file to use SFTP instead. These are Windows 7 Clients, but the Servers are Linux PCs. This is my first time attempting to use WinSCP. I installed it on my own test PC. I created a .dat file in the batch script similar to below -

echo open sftp://username:password              > C:\temp\temp.dat
echo cd /cygdrive/c/pathToUse                   >> C:\temp\temp.dat  
echo put %USERDOMAIN%.ftp                       >> C:\temp\temp.dat 
echo put File1.txt File1.ftp                    >> C:\temp\temp.dat 
echo get File2.txt                               >> C:\temp\temp.dat
echo get File3.txt                                >> C:\temp\temp.dat
echo quit                                  >> C:\temp\temp.dat
echo exit                                   >> C:\temp\temp.dat

I have a test Server/Client setup at my desk, so I tested using WinSCP for the first time to see whether it would connect by using the command - /script=ftpcmd.dat

And at first it said I needed a hostkey and WinSCP actually gave me the hostkey in the results. So I added the -hostkey "sshxxxxxxxxxx" switch at the end of first line in the .dat file and tried again to see if it would connect. It got further than before - no longer asking for the hostkey, but the results I got included:

"Server offered these authentication methods: publickey, gssapi-keyex,gssapi-with-mic"

Two questions: Since I won't know the hostkey on these 50 remote servers, how can I write the script to connect not knowing the hostkey?

If I am able to generate a hostkey for the initial SFTP connection, how do I authenticate with either publickey, gssapi-keyex, gssapi--with-mic?

And please be kind as this is my first time using WinSCP and trying to understand keygen and hostkey/publickey authentication.

I did find I can generate a public key if I use the command:
ssh-keygen -y -f ssh_host_rsa_key

in the correct directory. But I'm not sure how to utilize that within my batch script or WinSCP.

Reply with quote



Re: Using Public Keys on many remote PCs

martin wrote:

First, make sure you understand all the keys involved in SSH:

For host key, see:

If you want to setup a public key authentication, see:

I'm still not quite following, maybe because the WinSCP pages don't show a lot of examples of coding.

So now I've got a hostkey for the server - but I got that hostkey in the reply when I tried to manually run my .dat file with WinSCP. That's the only reason I got that hostkey. So I changed my .dat file so that it now contains:

sftp://username:password@pos%STORE% -hostkey="ssh-xxxxxxxxxxxxx" >>ftpcmd.dat 
echo cd /cygdrive/c/path >>ftpcmd.dat 
echo put commands >>ftpcmd.dat 
echo get commands >>ftpcmd.dat 
echo exit >>ftpcmd.dat /script=ftpcmd.dat

And I can generate a key pair with

ssh-keygen -t ecdsa -b 521

What I'm not following is, do I have a way to get the hostkey from the Servers into my script without my having to remotely connect to all 50 Servers to manually get their hostkey and put the specific hostkey into the .dat file for just the clients connected to each respective Server?

And if there is a way for me to do that, then fine, I can put it into a variable when my script is creating the .dat file to be used for SFTP.

But secondly, if I generate a key pair with the ssh-keygen command above, how do I script my .dat file to use the key pair that is generated?

Reply with quote

Site Admin
martin avatar
Prague, Czechia

Re: Using Public Keys on many remote PCs

As you have thrown away my effort in helping you by deleting my answer on Stack Overflow, I'm at least re-posting it here:

A host key is part of the information you need to know about about each server upfront, along with the hostname and credentials. You should get the information from the administrator of the server. See also Where do I get SSH host key fingerprint to authorize the server?

While you can automate the retrieval of the keys, it is not the best solution. If you want to do that anyway, you can make use of WinSCP .NET assembly Session.ScanFingerprint, e.g. from PowerShell script like:

Add-Type -Path "WinSCPnet.dll"
$sessionOptions = New-Object WinSCP.SessionOptions
$session = New-Object WinSCP.Session
$hostnames = "", "", ""
foreach ($hostname in $hostnames)
    $sessionOptions.HostName = $hostname
    $fp = $session.ScanFingerprint($sessionOptions, "SHA-256")
    Write-Host "$hostname = $fp"

Reply with quote


You can post new topics in this forum