.\WinSCP.exe command without password fails

Advertisement

francesco84mantovani@gmail.com
Joined:
Posts:
14
Location:
Lausanne

.\WinSCP.exe command without password fails

Hello, I think I found a bug.
Steps to reproduce:

1) If I open PowerShell and pass the values user:password@server like this
.\WinSCP.exe sftp://user:password@10.230.123.30/ /hostkey="ssh-ed25519 255 eesecret2BUNg="
everything is good and I can connect to the remote server

2) If I open PowerShell and pass the values user@server like this
.\WinSCP.exe sftp://user@10.230.123.30/ /hostkey="ssh-ed25519 255 eesecret2BUNg="
a window pops up asking for password. I enter the password manually and the window says "Access denied".

I'm on version 5.17.10

Cannot tell if it's related to the hostkey ssh-ed25519 255 or if affects all key type as I only have this environment.

Thank you

Access denied.png

Reply with quote

Advertisement

francesco84mantovani@gmail.com
Joined:
Posts:
14
Location:
Lausanne

More logs

I forgot to mention that I discovered this bug while using the PowerShell code that you put in this page https://winscp.net/eng/docs/library_from_script

fails with error:

Error: Exception calling "Open" with "1" argument(s): "Connection has been unexpectedly closed. Server sent command exit status 0.
Authentication log (see session log for details):
Using username "user".
Access denied.

Authentication failed."

Reply with quote

francesco84mantovani@gmail.com
Joined:
Posts:
14
Location:
Lausanne

I made a video

Hello,
I hope this might help you see the big picture. I took a video in which you can see as the same line of code works with password but fails without password.

Even if I copy/paste the same password from the previous line the login fails.

I believe there must be a problem in the concatenation because
user:password@server
works while
user@server
and adding the password later when prompted it doesn't.

The same problem also affect not only the
WinSCP.exe
but also the
WinSCPnet.dll
when used with the PowerShell script you mention in your guides.

Cannot tell if it's related to
/hostkey="ssh-ed25519 255
as I cannot test it with other environments.

Let me know if you need any information.

Testing.gif

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: .\WinSCP.exe command without password fails

Add /loglevel=* to WinSCP commandline to enable password logging and compare the logs, to check if the same password is really used in both cases. Is there any special character in the password?

Reply with quote

Advertisement

francesco84mantovani@gmail.com
Joined:
Posts:
14
Location:
Lausanne

"%" in password makes login fail

I found the bug!
Yes, we have a % in the password.
In the logs I noticed that the password in plain text switched the %24 to a $.

But there is definitely a bug.
  • Passing the password in line.log (20.95 KB, Private file)
  • Entering the passwod manually.log (5.25 KB, Private file)

Reply with quote

francesco84mantovani@gmail.com
Joined:
Posts:
14
Location:
Lausanne

All good

All good, you can close this topic as it works as expected.
However I find strange that you wan to keep the software behave in that way.
I still have a problem with PowerShell.
I will open another topic.

Thank you

Reply with quote

Advertisement

francesco84mantovani@gmail.com
Joined:
Posts:
14
Location:
Lausanne

Example

For example take MySQL, if you want to connect you can provide user, password and server this way:
mysql -u USERNAME -pPASSWORD -h HOSTNAMEORIP DATABASENAME
Or otherwise you can only provide user and server this way
mysql -u USERNAME -h HOSTNAMEORIP DATABASENAME -p
and the password will be prompted and you just have to enter it and it works.
Your software is the first software that I encounter that basically says:
"... if you enter user:password@server it's file BUT if you dare to enter only user@serve... well... now every "%" followed by two digits will be converted to UTF-8. Have fun finding out your new password."

I tell you, I've been working 10 years in IT and this is the first software I see, whatever the OS can be Linux/Windows/Mac that actually change the password in behalf of the way you send the command.

It's crazy, don't you think?

Can you name another software that acts like that?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: Example

That's how URLs works. Any URLs, anywhere. In all web browsers. In many command-line FTP/SFTP clients, like OpenSSH, curl, wget, etc.
There are standards for that.
https://datatracker.ietf.org/doc/html/rfc3986#section-2.1
https://en.wikipedia.org/wiki/Percent-encoding

If you do not like it, do it the way you do with mysql. There are -username and -password switches in WinSCP:
https://winscp.net/eng/docs/scriptcommand_open#username
Even the article, I've linked above tells that:
To avoid having to URL-encode the credentials, particularly when sourcing them from a variable, you can use -username and -password switches of the open command or WinSCP commandline.

Reply with quote

Advertisement

You can post new topics in this forum