Topic "Problem with private key..."

Author Message
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
Hi all,

i try to upload file on a ssh server with WinSCP. I use Pageant to store my private key but when i try to open my session with a script, i've got the message which ask if i want to trust the server... By default, it answer Cancel. Since i use a script, it answer Cancel each time so i want to know if there is a method to turn around this??

Thanks in advance.

p1c0.
Advertisements
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
Hi all,

i will give you more information in order you can help me...

I use WinSCP 3.7.5 and my server is OpenSSH v4.0p1

Here is beginning of my script :

Code:
option batch on
option confirm off
open root@192.168.1.10:22
option transfer binary


But as I say before, it doesn't work because i can't say that I trust the server... Sad

Any help???
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
Sorry to insist but i've read this : https://winscp.net/eng/docs/scripting#running_script_under_different_account

And particularly :

Quote:
Never attempt to make the script verify the host key automatically.


So i understand that what I want to do is not a good solution, but how can i give possibility to the user to reply Yes to the answer?? Confused

Thanks in advance
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24995
Location: Prague, Czechia
p1c0 wrote:
So i understand that what I want to do is not a good solution, but how can i give possibility to the user to reply Yes to the answer?? Confused

Either let user to accept the key first (in interactive mode) or distribute the key with your script (in INI file or import the key into registry before running the script).
_________________
Martin Prikryl
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
prikryl wrote:
Either let user to accept the key first (in interactive mode)


So i have to delete "option confirm off" of my script??

prikryl wrote:
or distribute the key with your script (in INI file or import the key into registry before running the script).


Ok, so i have to create a rsa2@server_port:server_ip in this registry [HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SshHostKeys]. Am i right?

But i have difficulties to know where come the value from??
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24995
Location: Prague, Czechia
p1c0 wrote:
prikryl wrote:
Either let user to accept the key first (in interactive mode)


So i have to delete "option confirm off" of my script??

I've ment that you should instruct the user that before running your script the first time, he/she needs to accept the host key. Whatever way.

Quote:
prikryl wrote:
or distribute the key with your script (in INI file or import the key into registry before running the script).


Ok, so i have to create a rsa2@server_port:server_ip in this registry [HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SshHostKeys]. Am i right?

But i have difficulties to know where come the value from??

Accept the key on your station and reuse the value stored into registry.
_________________
Martin Prikryl
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
prikryl wrote:
I've ment that you should instruct the user that before running your script the first time, he/she needs to accept the host key. Whatever way.


prikryl wrote:
Accept the key on your station and reuse the value stored into registry.


Ok. There is no other method? I don't think people who will use my application can do that. So i would create a batch in order to do that... Is it possible?

Thanks for your help
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24995
Location: Prague, Czechia
p1c0 wrote:
Ok. There is no other method? I don't think people who will use my application can do that. So i would create a batch in order to do that... Is it possible?

Definitelly. I've meant it so. Again, either distribute the INI file or import the key into registry from batch file before running the script (using regedit.exe).
_________________
Martin Prikryl
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
Sory but i have difficulties to speak english... Confused

I want to know if there is a method to calculate value of registry when we know the server fingerprint?

I have understood that i have to store this value in registry but i just search a method to determine this value...

Thanks a lot.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24995
Location: Prague, Czechia
p1c0 wrote:
I want to know if there is a method to calculate value of registry when we know the server fingerprint?

Probably there is. But why do you want to do that, if you know the value? Or you do not know it?
_________________
Martin Prikryl
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
prikryl wrote:
Probably there is. But why do you want to do that, if you know the value? Or you do not know it?


My application is supposed to be sell. So, it is not possible to have the same fingerprint for all ssh servers which will be installed. So the ini file or the registry key will change and i have to know the value of the key without accept the first time if it is possible...
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24995
Location: Prague, Czechia
p1c0 wrote:
My application is supposed to be sell. So, it is not possible to have the same fingerprint for all ssh servers which will be installed. So the ini file or the registry key will change and i have to know the value of the key without accept the first time if it is possible...

Then you know neither the fingerprint. Are you going to let user specify it during installation? Then you can have another script with "option batch off" that is launched during installation that would just connect to the server. You will instruct the user that he/she needs to verify the host key and eventually accept it (pressing "yes").
_________________
Martin Prikryl
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
Yes i want that user can generate a new fingerprint on the server... But with option batch off, it exactly what i want to do! User can simply answer that he trust the server without doing a lot of things...

Thanks a lot for your help! Razz

p1c0.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24995
Location: Prague, Czechia
p1c0 wrote:
Yes i want that user can generate a new fingerprint on the server...

I do not get this. User AFAIK cannot generate new host key (neither its fingerprint). Host key is typically generated only during installation of the server. User typically accept the key only on client machine.
_________________
Martin Prikryl
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
It is not possible to change fingerprint of the server after installation? Confused (with ssh-keygen ?)
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24995
Location: Prague, Czechia
p1c0 wrote:
It is not possible to change fingerprint of the server after installation? Confused (with ssh-keygen ?)

Technically it is possible. But it makes no sense. And only administrator of the server (root) can do that. I do not know what is your audience.
_________________
Martin Prikryl
p1c0
[View user's profile]

Joined: 2005-07-22
Posts: 18
Location: France
Ok, thanks for your comment. For the moment, user can't change the fingerprint. Perhaps in the future but it's not sure. I want to do this in order to increase security but i'm not sure it is really necessary... Confused
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License