WinSCP sporadically fails on Host key does not match when connecting through tunnel

Advertisement

DotnetDeveloper
Joined:
Posts:
6
Location:
Virginia

WinSCP sporadically fails on Host key does not match when connecting through tunnel

I have been having this issue for quite few months now. I started with winscp script, moved to winscp .net assembly, hoping to find a solution, but didnt help.
My scenario:
I post files to client sftp location from my server tunneling thru proxy. I have 2 environments, both tunnel thru the same proxy to post the files on client location. Both environments have 2 different logins and their own host keys. 30% of the times, the upload fail saying -
(Exception) **Host key does not match configured key fingerprint "ssh-rsa 2048 xxxxxxxxxxxxxxxxxxxxxx="!**
Here is the code:
SessionOptions sessionOptions = new SessionOptions
{
    Protocol = Protocol.Sftp,
    HostName = ConfigurationManager.AppSettings["ClientHostName"],
    UserName = ConfigurationManager.AppSettings["ClientUserName"],
    Password = ConfigurationManager.AppSettings["ClientPassword"],
    SshHostKeyFingerprint = ConfigurationManager.AppSettings["ClientHostKey"],
    PortNumber = Convert.ToInt32(ConfigurationManager.AppSettings["ClientPort"])                    
};
 
if (tunneling)
{
    sessionOptions.AddRawSettings("Tunnel", "1");
    sessionOptions.AddRawSettings("TunnelHostName", ConfigurationManager.AppSettings["ProxyHostName"]);
    sessionOptions.AddRawSettings("TunnelPortNumber", ConfigurationManager.AppSettings["ProxyPort"]);
    sessionOptions.AddRawSettings("TunnelUserName", ConfigurationManager.AppSettings["ProxyUserName"]);
    sessionOptions.AddRawSettings("TunnelPublicKeyFile", ConfigurationManager.AppSettings["ProxyPrivateKeyPath"]);
    sessionOptions.AddRawSettings("TunnelHostKey", ConfigurationManager.AppSettings["ProxyHostKey"]);
}
Logs attached:
This exception does not occur all the time. But only some instances and could not figure out when and why. Any insights/ideas much appreciated. Please help!!
  • sftpLog.log (8.43 KB, Private file)

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: Winscp Sporadically fails on Host key does not match

Isn't your server load balanced?
Can you post a log of a successful connection?

Reply with quote

DotnetDeveloper
Joined:
Posts:
6
Location:
Virginia

Thank you, Martin for your reply.
No, our server does not have load balancer.
Attaching successful attempt logs
  • SuccessSftpLog.log (12.86 KB, Private file)

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: Winscp Sporadically fails on Host key does not match

Aren't you running multiple transfers in parallel?

WinSCP picks a free local port for the port forwarding, but before it is able to establish the tunnel, something steals the port. That's something that should be improved definitely. I'll look at this.

But meanwhile, you can try to make you own choice using TunnelLocalPortNumber raw session settings:
https://winscp.net/eng/docs/rawsettings#tunnellocalportnumber

Reply with quote

martin
Site Admin
martin avatar

Re: Winscp Sporadically fails on Host key does not match

I forgot to mention how it relates to the host key. It actually seems that the session connects to a tunnel opened at the same by another connection. So it connects to a wrong host. That's why the host key does not match.

Reply with quote

Advertisement

DotnetDeveloper

Thank you so much for the temporary fix version to report a meaningful error, Martin.
Can you please give me the direct link to the version to download? I could not find it.
Any estimate at this time for a permanent fix?

Reply with quote

Advertisement

DotnetDeveloper
Joined:
Posts:
6
Location:
Virginia

Hi Martin,
I was hoping this bugfix will handle multiple sftp tunnel requests at the same time to the same port. But my job failed today again!! Only with a different errror message :(

2021-05-13 11:00:35.2342|Info|Exception encountered during sftp transfer: Error while tunneling the connection.
Local port 10022 forwarding to ast.carefirst.com:22 failed: Network error: Address already in use
I have 2 different processes trying at the same time delivering the files to 2 different client locations thru the same tunnel port.
How do I address this?

Reply with quote

martin
Site Admin
martin avatar

Ok, you probably still use the workaround with the explicit local port set using TunnelLocalPortNumber, what bypasses the fix and actually cause the problem, if you use the same port for both your processes. Remove that. Or even better set a unique port for each parallel process.

Reply with quote

DotnetDeveloper
Joined:
Posts:
6
Location:
Virginia

Martin,
I only have one port available from my network team. So can you please explain how to make your fix work. What exactly was fixed in this version?
sessionOptions.AddRawSettings("Tunnel", "1");
sessionOptions.AddRawSettings("TunnelHostName", ConfigurationManager.AppSettings["ProxyHostName"]);
sessionOptions.AddRawSettings("TunnelPortNumber", ConfigurationManager.AppSettings["ProxyPort"]);
sessionOptions.AddRawSettings("TunnelLocalPortNumber", ConfigurationManager.AppSettings["ProxyPort"]);
sessionOptions.AddRawSettings("TunnelUserName", ConfigurationManager.AppSettings["ProxyUserName"]);
sessionOptions.AddRawSettings("TunnelPublicKeyFile", ConfigurationManager.AppSettings["ProxyPrivateKeyPath"]);
sessionOptions.AddRawSettings("TunnelHostKey", ConfigurationManager.AppSettings["ProxyHostKey"]);
This is still my code. What should be taken, and what should be changed?
Please explain.

Reply with quote

martin
Site Admin
martin avatar

The port is used locally only (and within single WinSCP process only). I do not think you need any permission from your network team. It's not network-related.

Reply with quote

Advertisement

You can post new topics in this forum