Failure to authenticate via script, when I can authenticate with GUI

Advertisement

shortmort37
Donor
Joined:
Posts:
6
Location:
Philadelphia

Failure to authenticate via script, when I can authenticate with GUI

Using the WinSCP GUI, I can authenticate with my server and transfer files. And I have:
Session -> Generate Session URL/Code... -> Script -> Script file
..then Copy to Clipboard, and saved to "ModCopy.txt". I then set up ModCopy.bat with instructions to produce a log file.

Here is the batch file:
"C:\Users\Dan\AppData\Local\Programs\WinSCP\WinSCP.exe" /log="I:\phpBB\repository\ModCopy.log" /ini=nul /script="I:\phpBB\repository\ModCopy.txt"
Here is the open portion of the script (with edits to protect confidential info):
open sftp://webuser:mypass@127.0.0.1:nnnn/ -hostkey="ssh-ed25519 255 [snipped encryption string]" -rawsettings AuthKI=0 Cipher="aes,chacha20,3des,WARN,des,blowfish,arcfour" Tunnel=1 TunnelHostName="myvps.myisp.com" TunnelPortNumber=nnnn TunnelUserName="myssllogin" TunnelPublicKeyFile="I:%5CSSH_Keys%5Cprivate.ppk"

Here is what is reported in the log file (again, with edits consistent with the edits above):
< 2021-07-17 10:54:18.496 Script: Opening tunnel...
. 2021-07-17 10:54:18.496 Opening tunnel.
. 2021-07-17 10:54:18.497 Autoselected tunnel local port number 50027
< 2021-07-17 10:54:18.497 Script: Searching for host...
. 2021-07-17 10:54:18.498 [Tunnel] Looking up host "myvps.myisp.com" for SSH connection
. 2021-07-17 10:54:18.504 [Tunnel] Connecting to NNN.NNN.NNN.NNN port nnnn
< 2021-07-17 10:54:18.512 Script: Connecting to host...
. 2021-07-17 10:54:18.512 [Tunnel] We claim version: SSH-2.0-WinSCP_release_5.19
. 2021-07-17 10:54:18.530 [Tunnel] Remote version: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
. 2021-07-17 10:54:18.530 [Tunnel] Using SSH protocol version 2
. 2021-07-17 10:54:18.540 [Tunnel] Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2021-07-17 10:54:18.638 [Tunnel] Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2021-07-17 10:54:18.639 [Tunnel] Host key fingerprint is:
. 2021-07-17 10:54:18.639 [Tunnel] ssh-ed25519 255 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx [snipped encryption string]
< 2021-07-17 10:54:18.639 Script: Authenticating...
. 2021-07-17 10:54:18.639 Error opening tunnel.
. 2021-07-17 10:54:18.639 [Tunnel] Closing connection.
< 2021-07-17 10:54:18.640 Script: Expected host key was not configured, use -hostkey switch.
< 2021-07-17 10:54:18.640 Host key fingerprint is ssh-ed25519 255 [snipped encryption string]. 
 
< 2021-07-17 10:54:18.640 Authentication failed.
I did not find "Expected host key was not configured" in the list of common error messages.
Last edited by shortmort37 on 2021-07-18 16:27; edited 1 time in total

Reply with quote

Advertisement

shortmort37
Donor
Joined:
Posts:
6
Location:
Philadelphia

Ah... I turned on logging for the interactive (GUI) authentication. Note the additional entry at 11:06:50.334, reporting Have a known host key of type ssh-ed25519.

. 2021-07-18 11:06:49.941 Opening tunnel.
. 2021-07-18 11:06:49.967 Autoselected tunnel local port number 50061
. 2021-07-18 11:06:50.119 [Tunnel] Looking up host [snip] for SSH connection
. 2021-07-18 11:06:50.196 [Tunnel] Connecting to [snip] port [snip]
. 2021-07-18 11:06:50.268 [Tunnel] We claim version: SSH-2.0-WinSCP_release_5.19.1
. 2021-07-18 11:06:50.333 [Tunnel] Remote version: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
. 2021-07-18 11:06:50.333 [Tunnel] Using SSH protocol version 2
. 2021-07-18 11:06:50.334 [Tunnel] Have a known host key of type ssh-ed25519
. 2021-07-18 11:06:50.370 [Tunnel] Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2021-07-18 11:06:50.507 [Tunnel] Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2021-07-18 11:06:50.507 [Tunnel] Host key fingerprint is:
. 2021-07-18 11:06:50.507 [Tunnel] ssh-ed25519 255 [snip] [snip]
. 2021-07-18 11:06:50.522 [Tunnel] Host key matches cached key
. 2021-07-18 11:06:50.523 [Tunnel] Initialised AES-256 SDCTR (AES-NI accelerated) [aes256-ctr] outbound encryption
. 2021-07-18 11:06:50.523 [Tunnel] Initialised HMAC-SHA-256 outbound MAC algorithm
. 2021-07-18 11:06:50.523 [Tunnel] Initialised AES-256 SDCTR (AES-NI accelerated) [aes256-ctr] inbound encryption
. 2021-07-18 11:06:50.523 [Tunnel] Initialised HMAC-SHA-256 inbound MAC algorithm
. 2021-07-18 11:06:50.530 [Tunnel] Reading key file "I:\SSH_Keys\private.ppk"
! 2021-07-18 11:06:50.562 [Tunnel] Using username "[snip]".
. 2021-07-18 11:06:50.601 [Tunnel] Server offered these authentication methods: publickey
. 2021-07-18 11:06:50.601 [Tunnel] Offered public key
. 2021-07-18 11:06:50.609 [Tunnel] Offer of public key accepted
! 2021-07-18 11:06:50.609 [Tunnel] Authenticating with public key "rsa-key-20210519"
. 2021-07-18 11:06:51.714 [Tunnel] Sent public key signature
. 2021-07-18 11:06:51.730 [Tunnel] Access granted

My script does include the hostkey switch, which was generated as described in the initial post:

... -hostkey="ssh-ed25519 255 [snipped encryption string]" ...

But it seems to be ignored. Why?

Reply with quote

shortmort37
Donor
Joined:
Posts:
6
Location:
Philadelphia

(providing log file and script for the benefit of site moderators...)
  • ModCopy.bat (181 Bytes, Private file)
  • ModCopy.txt (793 Bytes, Private file)
  • ModCopy.log (9.16 KB, Private file)

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
36,025
Location:
Prague, Czechia

Re: Failure to authenticate via script, when I can authenticate with GUI

Indeed, the GUI does not add hostkey for the tunnel session to the script.
You have to do it on your own.
See https://winscp.net/forum/viewtopic.php?t=28466
-rawsettings TunnelHostKey="ssh-ed25519 255 xx:xx:xx:xx:xx:xx"

Reply with quote

shortmort37
Donor

Re: Failure to authenticate via script, when I can authenticate with GUI

I admit to being confused about the distinction between the two; the GUI adds the -hostkey switch, but not the TunnelHostKey parameter. The SHA-256 accompanies -hostkey, and the MD5 accompanies TunnelHostKey. Hmmm... A bit confusing to me. Well, I don't claim to understand it, but that seems to have done the trick. It authenticates now. Thanks!

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
36,025
Location:
Prague, Czechia

Re: Failure to authenticate via script, when I can authenticate with GUI

The host key is special. It's not part of the session settings. So when generating code, WinSCP cannot just take you settings, it also have to look into the host key cache to read the host key for the code. It does that for the main session, but does not (yet) for the tunnel session. It's bit of an edge case.
Anyway, I'm going to improve this, as your are not the first one to have the problem:
https://winscp.net/tracker/2006

As for the MD5 and SHA-256: You have probably cached the host key of the tunnel session using an old version of WinSCP, which supported MD5 only. While the host key of the main session was cache by a new version of WinSCP already.

Reply with quote

shortmort37
Donor
Joined:
Posts:
6
Location:
Philadelphia

Re: Failure to authenticate via script, when I can authenticate with GUI

Actually, I'm running 5.19.1 (build 11552). I only used MD5 for the TunnelKey because you suggested it in the form of your first reply:
-rawsettings TunnelHostKey="ssh-ed25519 255 xx:xx:xx:xx:xx:xx"
I just now substituted the SHA-256 (used in the session key) for the MD5 in the TunnelKey, and it again authenticated - so I'm still confused by this answer. If they can be the same, why can't the TunnelKey be generated at the time the -hostkey is? It's only academic, since my problem appears to have been solved.

Reply with quote

martin
Site Admin
martin avatar

Re: Failure to authenticate via script, when I can authenticate with GUI

I didn't really suggest to use MD5. I just copied the MD5-like fingerprint placeholder from some of your earlier scripts or logs. You can (and should) of course use SHA-256 fingerprint for both.

It's not that WinSCP cannot generate the host key for the tunnel session. It just does not (yet).

Reply with quote

Advertisement

You can post new topics in this forum