Logging to sFTP with private key via Pageant

Advertisement

lumrk
Joined:
Posts:
4

Logging to sFTP with private key via Pageant

Hi,

I'm using WinSCP 4.3.7 (1679) on Windows Vista SP2.

I'm trying to log on to server with automation script, which is called in C# application. This application in general only calls winscp.com to download some file from server.

winscp.com mySession /command "option confirm off" "cd remoteDir" "get remoteFile localDir" exit    

In mySession I'm using a encrypted private key file, SFTP protocol with SCP fallback allowed. To avoid asking for passphrase for private key, I'm running pageant with this key added.

And now the problem:
If I want to log in manually in cmd.exe everything works fine.
winscp.com mySession    
If I execute that app, it logs on to server fine as well (see log1)
But if this app is embedded in windows service (running under the same account as above), the script don't ask pageant for key. (see log2)

Log 1
. 2012-05-15 14:05:25.757 --------------------------------------------------------------------------
. 2012-05-15 14:05:25.757 WinSCP Version 4.3.7 (Build 1679) (OS 6.0.6002 Service Pack 2)
. 2012-05-15 14:05:25.758 Configuration: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\
. 2012-05-15 14:05:25.758 Local account: INT\catadmin
. 2012-05-15 14:05:25.758 Login time: Tuesday, May 15, 2012 2:05:25 PM
. 2012-05-15 14:05:25.758 --------------------------------------------------------------------------
. 2012-05-15 14:05:25.758 Session name: eurex-cre (Stored session)
. 2012-05-15 14:05:25.759 Host name: 193.29.90.129 (Port: 2222)
. 2012-05-15 14:05:25.759 User name: 1075314_000001 (Password: No, Key file: Yes)
. 2012-05-15 14:05:25.759 Tunnel: No
. 2012-05-15 14:05:25.759 Transfer Protocol: SFTP (SCP)
. 2012-05-15 14:05:25.759 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2012-05-15 14:05:25.759 Proxy: none
. 2012-05-15 14:05:25.759 SSH protocol version: 2; Compression: No
. 2012-05-15 14:05:25.759 Bypass authentication: No
. 2012-05-15 14:05:25.759 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2012-05-15 14:05:25.759 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2012-05-15 14:05:25.759 SSH Bugs: -,-,-,-,-,-,-,-,-
. 2012-05-15 14:05:25.759 SFTP Bugs: -,-
. 2012-05-15 14:05:25.759 Return code variable: Autodetect; Lookup user groups: Yes
. 2012-05-15 14:05:25.759 Shell: default
. 2012-05-15 14:05:25.759 EOL: 0, UTF: 2
. 2012-05-15 14:05:25.759 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2012-05-15 14:05:25.759 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2012-05-15 14:05:25.759 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-05-15 14:05:25.759 Cache directory changes: Yes, Permanent: Yes
. 2012-05-15 14:05:25.759 DST mode: 1
. 2012-05-15 14:05:25.759 --------------------------------------------------------------------------
. 2012-05-15 14:05:25.760 Looking up host "193.29.90.129"
. 2012-05-15 14:05:25.760 Connecting to 193.29.90.129 port 2222
. 2012-05-15 14:05:25.778 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:25.778 Detected network event
. 2012-05-15 14:05:25.786 Detected network event
. 2012-05-15 14:05:25.786 Server version: SSH-2.0-OpenSSH_5.3
. 2012-05-15 14:05:25.786 Using SSH protocol version 2
. 2012-05-15 14:05:25.786 We claim version: SSH-2.0-WinSCP_release_4.3.7
. 2012-05-15 14:05:25.786 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:25.798 Detected network event
. 2012-05-15 14:05:25.798 Doing Diffie-Hellman group exchange
. 2012-05-15 14:05:25.798 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:25.859 Detected network event
. 2012-05-15 14:05:25.859 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-05-15 14:05:26.032 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:26.061 Detected network event
. 2012-05-15 14:05:26.205 Host key fingerprint is:
. 2012-05-15 14:05:26.205 ssh-rsa 2048 3b:c0:a4:8d:a2:a0:f7:2b:a1:2e:0c:b7:f4:02:9d:c7
. 2012-05-15 14:05:26.205 Initialised AES-256 SDCTR client->server encryption
. 2012-05-15 14:05:26.205 Initialised HMAC-SHA1 client->server MAC algorithm
. 2012-05-15 14:05:26.205 Initialised AES-256 SDCTR server->client encryption
. 2012-05-15 14:05:26.205 Initialised HMAC-SHA1 server->client MAC algorithm
. 2012-05-15 14:05:26.205 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:26.270 Detected network event
. 2012-05-15 14:05:26.270 Reading private key file "C:\Install\keys\eurex-rsj-cre.priv.ppk"
. 2012-05-15 14:05:26.270 Pageant is running. Requesting keys.
. 2012-05-15 14:05:26.270 Pageant has 1 SSH-2 keys
. 2012-05-15 14:05:26.270 Pageant key #0 matches configured key file
! 2012-05-15 14:05:26.270 Using username "1075314_000001".
. 2012-05-15 14:05:26.271 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:26.381 Detected network event
. 2012-05-15 14:05:26.381 Trying Pageant key #0
. 2012-05-15 14:05:26.381 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:26.404 Detected network event
! 2012-05-15 14:05:26.404 Authenticating with public key "rsa-key-20120228" from agent
. 2012-05-15 14:05:26.527 Sending Pageant's response
. 2012-05-15 14:05:26.528 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:26.599 Detected network event
. 2012-05-15 14:05:26.599 Access granted
. 2012-05-15 14:05:26.599 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:26.610 Detected network event
. 2012-05-15 14:05:26.610 Opened channel for session
. 2012-05-15 14:05:26.610 Waiting for the server to continue with the initialisation
. 2012-05-15 14:05:26.670 Detected network event
. 2012-05-15 14:05:26.670 Started a shell/command


Log 2

. 2012-05-15 14:08:06.392 --------------------------------------------------------------------------
. 2012-05-15 14:08:06.392 WinSCP Version 4.3.7 (Build 1679) (OS 6.0.6002 Service Pack 2)
. 2012-05-15 14:08:06.392 Configuration: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\
. 2012-05-15 14:08:06.392 Local account: INT\catadmin
. 2012-05-15 14:08:06.392 Login time: Tuesday, May 15, 2012 2:08:06 PM
. 2012-05-15 14:08:06.392 --------------------------------------------------------------------------
. 2012-05-15 14:08:06.392 Session name: eurex-cre (Stored session)
. 2012-05-15 14:08:06.392 Host name: 193.29.90.129 (Port: 2222)
. 2012-05-15 14:08:06.392 User name: 1075314_000001 (Password: No, Key file: Yes)
. 2012-05-15 14:08:06.392 Tunnel: No
. 2012-05-15 14:08:06.392 Transfer Protocol: SFTP (SCP)
. 2012-05-15 14:08:06.392 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2012-05-15 14:08:06.392 Proxy: none
. 2012-05-15 14:08:06.392 SSH protocol version: 2; Compression: No
. 2012-05-15 14:08:06.392 Bypass authentication: No
. 2012-05-15 14:08:06.392 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2012-05-15 14:08:06.392 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2012-05-15 14:08:06.392 SSH Bugs: -,-,-,-,-,-,-,-,-
. 2012-05-15 14:08:06.392 SFTP Bugs: -,-
. 2012-05-15 14:08:06.392 Return code variable: Autodetect; Lookup user groups: Yes
. 2012-05-15 14:08:06.392 Shell: default
. 2012-05-15 14:08:06.392 EOL: 0, UTF: 2
. 2012-05-15 14:08:06.392 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2012-05-15 14:08:06.392 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2012-05-15 14:08:06.392 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-05-15 14:08:06.392 Cache directory changes: Yes, Permanent: Yes
. 2012-05-15 14:08:06.392 DST mode: 1
. 2012-05-15 14:08:06.392 --------------------------------------------------------------------------
. 2012-05-15 14:08:06.407 Looking up host "193.29.90.129"
. 2012-05-15 14:08:06.407 Connecting to 193.29.90.129 port 2222
. 2012-05-15 14:08:06.423 Waiting for the server to continue with the initialisation
. 2012-05-15 14:08:06.423 Detected network event
. 2012-05-15 14:08:06.423 Detected network event
. 2012-05-15 14:08:06.423 Server version: SSH-2.0-OpenSSH_5.3
. 2012-05-15 14:08:06.423 Using SSH protocol version 2
. 2012-05-15 14:08:06.423 We claim version: SSH-2.0-WinSCP_release_4.3.7
. 2012-05-15 14:08:06.423 Waiting for the server to continue with the initialisation
. 2012-05-15 14:08:06.438 Detected network event
. 2012-05-15 14:08:06.438 Doing Diffie-Hellman group exchange
. 2012-05-15 14:08:06.438 Waiting for the server to continue with the initialisation
. 2012-05-15 14:08:06.501 Detected network event
. 2012-05-15 14:08:06.501 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-05-15 14:08:06.626 Waiting for the server to continue with the initialisation
. 2012-05-15 14:08:06.641 Detected network event
. 2012-05-15 14:08:06.860 Host key fingerprint is:
. 2012-05-15 14:08:06.860 ssh-rsa 2048 3b:c0:a4:8d:a2:a0:f7:2b:a1:2e:0c:b7:f4:02:9d:c7
. 2012-05-15 14:08:06.860 Initialised AES-256 SDCTR client->server encryption
. 2012-05-15 14:08:06.860 Initialised HMAC-SHA1 client->server MAC algorithm
. 2012-05-15 14:08:06.860 Initialised AES-256 SDCTR server->client encryption
. 2012-05-15 14:08:06.860 Initialised HMAC-SHA1 server->client MAC algorithm
. 2012-05-15 14:08:06.860 Waiting for the server to continue with the initialisation
. 2012-05-15 14:08:06.953 Detected network event
. 2012-05-15 14:08:06.953 Reading private key file "C:\Install\keys\eurex-rsj-cre.priv.ppk"
! 2012-05-15 14:08:06.953 Using username "1075314_000001".
. 2012-05-15 14:08:07.000 Waiting for the server to continue with the initialisation
. 2012-05-15 14:08:07.203 Detected network event
. 2012-05-15 14:08:07.203 Offered public key
. 2012-05-15 14:08:07.203 Waiting for the server to continue with the initialisation
. 2012-05-15 14:08:07.234 Detected network event
. 2012-05-15 14:08:07.234 Offer of public key accepted
! 2012-05-15 14:08:07.234 Authenticating with public key "rsa-key-20120228"
. 2012-05-15 14:08:07.250 Prompt (3, SSH key passphrase, , Passphrase for key "rsa-key-20120228": )
. 2012-05-15 14:08:07.250 Disconnected: Unable to authenticate

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Logging to sFTP with private key via Pageant

Pageant has to be running in the same session/under the same local account as WinSCP.
Alternatively you can save the private key unecrypted, possibly protecting it locally using system permissions (e.g. granting access to the service only).
_________________
Martin Prikryl

Reply with quote

lumrk
Joined:
Posts:
4

Re: Logging to sFTP with private key via Pageant

martin wrote:

Pageant has to be running in the same session/under the same local account as WinSCP.

I'm not sure what 'in the same session' means but Pageant is running under the same local account as WinSCP (both 'INT\catadmin'). As well as windows service is running under the same account.

martin wrote:

Alternatively you can save the private key unecrypted, possibly protecting it locally using system permissions (e.g. granting access to the service only).

Yes, this could be a solution, but I'm curious about the solution with the encrypted key.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Logging to sFTP with private key via Pageant

I've checked again. Actually it's not necessary for WinSCP and Pageant to run under the same account. But it it necessary that they run in the same session. As you probably run Pageant in the interactive session and WinSCP is run in the scheduler's session, they cannot see each other.
_________________
Martin Prikryl

Reply with quote

lumrk
Joined:
Posts:
4

Re: Logging to sFTP with private key via Pageant

martin wrote:

I've checked again. Actually it's not necessary for WinSCP and Pageant to run under the same account. But it it necessary that they run in the same session. As you probably run Pageant in the interactive session and WinSCP is run in the scheduler's session, they cannot see each other.

Ok, this is a bug or feature? :) (not seeing each other)
Well, if I am not missing something - there is no way to run windows service, which connects to SFTP server using encrypted private key file, because
- if I run Pageant interactively, WinSCP will it not see from scheduler session
- I cannot run Pageant from script without asking for password

Am I right?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Logging to sFTP with private key via Pageant

It's feature.
Pageant is not intended this kind of use.
_________________
Martin Prikryl

Reply with quote

lumrk
Joined:
Posts:
4

Re: Logging to sFTP with private key via Pageant

martin wrote:

It's feature.
Pageant is not intended this kind of use.

Could you be more specific please?

And could you confirm my thoughts in a previous question?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Logging to sFTP with private key via Pageant

lumrk wrote:

Could you be more specific please?

And could you confirm my thoughts in a previous question?
Yes you are right. Also I have suggested a way to go earlier.
_________________
Martin Prikryl

Reply with quote

Advertisement

You can post new topics in this forum