[PowerShell] Accepting new host fingerprints does not work

Advertisement

Rudixx
Guest

[PowerShell] Accepting new host fingerprints does not work

Hello

I have a scheduled task that runs the script as a system account, but the script fails due to authentication.
param (
    #$KnownHostsFile = "$PSScriptRoot\KnownHosts.xml",
    $logPath = "U:\x\Logs\$(Get-Date -format yyyy)\$(Get-Date -format MM)",
    $logName = "WinSCP-SFTP_Upload_$(Get-Date -format yyyyMMdd).log",
    $localPath = "U:\x\Downloaded_Files\",
    $remotePath = "/build/",
    $finalPath = "/work/",
    $archivePath = "U:\x\Uploaded_Files\$(Get-Date -format yyyy)\$(Get-Date -format MM)",
    $SMTPServer = "gateway.server.com",
    $EmailFrom = "$env:computername@server.com",
    $EmailTo = "user@server.com",
    $EmailSubject = "Sync Files Transfer Failure",
    $EmailAttachment = "$logPath\$logName",
    $EmailBody = "Upload to SFTP failed.`r`nLog file attached."
)
 
# Upload
try
{
    # Load WinSCP .NET assembly
    Add-Type -Path "C:\Program Files (x86)\WinSCP\WinSCPnet.dll"
 
    # Setup  session options
    $sessionOptions = New-Object WinSCP.SessionOptions -Property @{
        Protocol = [WinSCP.Protocol]::Sftp
        HostName = "server.com"
        UserName = "username"
        SshPrivateKeyPath = "$PSScriptRoot\key.ppk"
        SshHostKeyPolicy = "AcceptNew"
    }
 
    $session = New-Object WinSCP.Session
 
    try
    {
        # Log Session
        If(!(test-path $logPath))
        {
            New-Item -ItemType Directory -Force -Path $logPath
        }
        $session.SessionLogPath = "$logPath\$logName"
        # Connect
        $session.Open($sessionOptions)
 
        # Deliberately using an underscore instead of a dot,
        # as the dot has specific meaning in operation mask
        $suffix = "_filepart"
 
        $transferOptions = New-Object WinSCP.TransferOptions
        # Particularly with SFTP protocol, prevent additional .filepart suffix
        # from being added to uploaded files larger than 100 KB
        $transferOptions.ResumeSupport.State = [WinSCP.TransferResumeSupportState]::Off
 
        # Upload all .pdf files with temporary "_filepart" suffix
        $transferResult =
            $session.PutFiles(($localPath + "*.pdf"), ($remotePath + "*.*" + $suffix),
                $False, $transferOptions)
 
        # Throw on any error
        $transferResult.Check()
 
        # Rename uploaded files
        foreach ($transfer in $transferResult.Transfers)
        {
            # Remove suffix
            $finalName =
                $transfer.Destination.SubString(
                    0, $transfer.Destination.Length - $suffix.Length)
            # Replace path
            $finalName = $finalName.Replace($remotePath, $finalPath)
            Write-Output "Renaming uploaded file $($transfer.Destination) to $finalName"
            # Rename uploaded file to its final name
            $session.MoveFile($transfer.Destination, $finalName)
 
            # Success or error?
            if ($transfer.Error -eq $Null)
            {
                Write-Output "Upload of $($transfer.FileName) succeeded, moving to archive"
                # Upload succeeded, move source file to archive
                If(!(test-path $archivePath))
                {
                    New-Item -ItemType Directory -Force -Path $archivePath
                }
                Move-Item $transfer.FileName $archivePath
            }
            else
            {
                Write-Output "Upload of $($transfer.FileName) failed: $($transfer.Error.Message)"
            }
        }
    }
    finally
    {
        # Disconnect, clean up
        $session.Dispose()
    }
 
    exit 0
}
catch
{
    Write-Output "Error: $($_.Exception.Message)"
    Send-MailMessage -To $EmailTo -From $EmailFrom -Subject $EmailSubject -SmtpServer $SMTPServer -Body $EmailBody -Attachments $EmailAttachment
    exit 1
}

. 2022-01-12 14:39:50.256 --------------------------------------------------------------------------
. 2022-01-12 14:39:50.256 WinSCP Version 5.19.5 (Build 11933 2021-11-25) (OS 10.0.14393 - Windows Server 2016 Standard)
. 2022-01-12 14:39:50.256 Configuration: nul
. 2022-01-12 14:39:50.256 Log level: Normal
. 2022-01-12 14:39:50.256 Local account: domain\hostname$
. 2022-01-12 14:39:50.256 Working directory: C:\Program Files (x86)\WinSCP
. 2022-01-12 14:39:50.256 Process ID: 2616
. 2022-01-12 14:39:50.271 Ancestor processes: powershell, cmd, svchost, ...
. 2022-01-12 14:39:50.271 Command-line: "C:\Program Files (x86)\WinSCP\winscp.exe" /xmllog="C:\windows\TEMP\wscp2310.01324713.tmp" /xmlgroups /xmllogrequired /nointeractiveinput /stdout /stdin /dotnet=5.19.5  /ini=nul /log="U:\x\Logs\2022\01\WinSCP-SFTP_Upload_20220112.log"  /console /consoleinstance=_8976_30834295_644
. 2022-01-12 14:39:50.271 Time zone: Current: GMT+1, Standard: GMT+1 (Central Europe Standard Time), DST: GMT+2 (Central Europe Daylight Time), DST Start: 3/27/2022, DST End: 10/30/2022
. 2022-01-12 14:39:50.271 Login time: Wednesday, January 12, 2022 2:39:50 PM
. 2022-01-12 14:39:50.271 --------------------------------------------------------------------------
. 2022-01-12 14:39:50.271 Script: Retrospectively logging previous script records:
> 2022-01-12 14:39:50.271 Script: option batch on
< 2022-01-12 14:39:50.271 Script: batch           on        
< 2022-01-12 14:39:50.271 Script: reconnecttime   120       
> 2022-01-12 14:39:50.271 Script: option confirm off
< 2022-01-12 14:39:50.271 Script: confirm         off       
> 2022-01-12 14:39:50.271 Script: option reconnecttime 120
< 2022-01-12 14:39:50.271 Script: reconnecttime   120       
> 2022-01-12 14:39:50.271 Script: open "sftp://username@server.com" -hostkey="acceptnew" -privatekey="U:\x\key.ppk" -timeout=15
. 2022-01-12 14:39:50.271 --------------------------------------------------------------------------
. 2022-01-12 14:39:50.271 Session name: username@server.com (Ad-Hoc site)
. 2022-01-12 14:39:50.271 Host name: server.com (Port: 22)
. 2022-01-12 14:39:50.271 User name: username (Password: No, Key file: Yes, Passphrase: No)
. 2022-01-12 14:39:50.271 Tunnel: No
. 2022-01-12 14:39:50.271 Transfer Protocol: SFTP
. 2022-01-12 14:39:50.271 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2022-01-12 14:39:50.271 Disable Nagle: No
. 2022-01-12 14:39:50.271 Proxy: None
. 2022-01-12 14:39:50.271 Send buffer: 262144
. 2022-01-12 14:39:50.271 SSH protocol version: 2; Compression: No
. 2022-01-12 14:39:50.271 Bypass authentication: No
. 2022-01-12 14:39:50.271 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2022-01-12 14:39:50.271 GSSAPI: KEX: No; Forwarding: No; Libs: gssapi32,sspi,custom; Custom: 
. 2022-01-12 14:39:50.271 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2022-01-12 14:39:50.271 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2022-01-12 14:39:50.271 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2022-01-12 14:39:50.271 Simple channel: Yes
. 2022-01-12 14:39:50.271 Return code variable: Autodetect; Lookup user groups: Auto
. 2022-01-12 14:39:50.271 Shell: default
. 2022-01-12 14:39:50.271 EOL: LF, UTF: Auto
. 2022-01-12 14:39:50.271 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2022-01-12 14:39:50.271 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No; Exit code 1 is error: No
. 2022-01-12 14:39:50.271 SFTP Bugs: Auto,Auto
. 2022-01-12 14:39:50.271 SFTP Server: default
. 2022-01-12 14:39:50.271 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2022-01-12 14:39:50.271 Cache directory changes: Yes, Permanent: Yes
. 2022-01-12 14:39:50.271 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2022-01-12 14:39:50.271 DST mode: Unix
. 2022-01-12 14:39:50.271 --------------------------------------------------------------------------
< 2022-01-12 14:39:50.271 Script: Searching for host...
. 2022-01-12 14:39:50.271 Looking up host "server.com" for SSH connection
. 2022-01-12 14:39:50.287 Connecting to 100.00.000.000 port 22
< 2022-01-12 14:39:50.287 Script: Connecting to host...
. 2022-01-12 14:39:50.287 We claim version: SSH-2.0-WinSCP_release_5.19.5
. 2022-01-12 14:39:50.303 Remote version: SSH-2.0-OpenSSH_7.4
. 2022-01-12 14:39:50.303 Using SSH protocol version 2
. 2022-01-12 14:39:50.303 Have a known host key of type ssh-ed25519
. 2022-01-12 14:39:50.303 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2022-01-12 14:39:50.365 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2022-01-12 14:39:50.365 Host key fingerprint is:
. 2022-01-12 14:39:50.365 ssh-ed25519 255 44:bd:d2:13:a0:50:bf:6a:de:a6:62:eb:fa:fd:d4:ad GrGgvYyFwxkNxxHzq/nmUGdNmC1E0qA5wyNWJ0vfP6U=
< 2022-01-12 14:39:50.365 Script: Authenticating...
. 2022-01-12 14:39:50.365 Host key does not match cached key
. 2022-01-12 14:39:50.365 Attempt to close connection due to fatal exception:
* 2022-01-12 14:39:50.365 Host key fingerprint is ssh-ed25519 255 GrGgvYyFwxkNyyHzq/nmUGdNmC1E0qA5wyNWJ0vfP6U=.
* 2022-01-12 14:39:50.365 (Exception) **Expected host key was not configured, use -hostkey switch.**
. 2022-01-12 14:39:50.365 Closing connection.
< 2022-01-12 14:39:50.365 Script: Expected host key was not configured, use -hostkey switch.
< 2022-01-12 14:39:50.365 Host key fingerprint is ssh-ed25519 255 GrGgvYyFwxkNyyHzq/nmUGdNmC1E0qA5wyNWJ0vfP6U=.< 2022-01-12 14:39:50.365 Authentication failed.
The script seems to work fine when I run it manually.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,378
Location:
Prague, Czechia

Re: [PowerShell] Accepting new host fingerprints does not work

The local account you use for the scheduled task have a different host key cached for your server already:
. 2022-01-12 14:39:50.365 Host key does not match cached key
So it does not see the host as "new". You will have to clear the host key cache (after double checking that the new host key is legitimate).

Reply with quote

Rudixx
Guest

Originally it did not have any, so it added the hostkey from the first attempt to the registry.
. 2022-01-12 14:18:20.243 Looking up host "..." for SSH connection
. 2022-01-12 14:18:20.258 Connecting to 100.100.100.100 port 22
< 2022-01-12 14:18:20.258 Script: Connecting to host...
. 2022-01-12 14:18:20.258 We claim version: SSH-2.0-WinSCP_release_5.19.5
. 2022-01-12 14:18:20.258 Remote version: SSH-2.0-OpenSSH_7.4
. 2022-01-12 14:18:20.258 Using SSH protocol version 2
. 2022-01-12 14:18:20.274 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2022-01-12 14:18:20.336 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2022-01-12 14:18:20.336 Host key fingerprint is:
. 2022-01-12 14:18:20.336 ssh-ed25519 255 1f:9c:8f:a9:a9:2e:81:8c:e0:6b:e9:bc:aa:c3:cb:80 amsdILszbrpSKxfTFGJVw+ljlHJpuFmyBT8iEqOdloc=
< 2022-01-12 14:18:20.336 Script: Authenticating...
. 2022-01-12 14:18:20.336 Warning: Stored new host key to HKCU\Software\Martin Prikryl\WinSCP 2\ - This should occur only on the first connection
I was under impression that SshHostKeyPolicy = "AcceptNew" will accept any new hostkeys, is that not the case?

Reply with quote

Rudixx
Joined:
Posts:
3

In addition to the above, would that mean that I need to clear the cache before every connection?
In my setup there are multiple servers, so I thought that AcceptNew policy, will just cache them all.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,378
Location:
Prague, Czechia

The AcceptNew does what OpenSSH StrictHostKeyChecking=accept-new do. I.e. it accepts first host key of a new host. If the host later returns a different host key, WinSCP considers that a security threat and aborts.

What are you trying to achieve? Do your hosts keep changing keys? Do they have a legitimate reason to do that? It's wrong in general. If you need that and you are sure you know what you are doing, use SshHostKeyPolicy.GiveUpSecurityAndAcceptAny.

Reply with quote

Advertisement

Rudixx
Joined:
Posts:
3

I have a virtual hostname with 4 physical servers behind. All 4 servers have different server host keys.

I was advised to use -oUserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no but obviously those are not valid WinSCP parameters. So perhaps SshHostKeyPolicy.GiveUpSecurityAndAcceptAny. Is the last option to use unless you can advise something else?

Reply with quote

Advertisement

You can post new topics in this forum