(Complete Novice) SshHostKeyFingerprint error

Advertisement

ritjesman
Joined:
Posts:
3
Location:
BE

(Complete Novice) SshHostKeyFingerprint error

I'm using WinSCP from within a C# WinForms app being developed in Visual Studio 2022 in Win10.
The app is for TLS/SSL cert auto renewal; FTP sessions will occur every 60–90 days and the sessions will only be open for 5–10 minutes (depending on host response times).
I can connect with the following (verified with a directory read):
SessionOptions so = new SessionOptions();
so.HostName = "server220.web-hosting.com";
so.UserName = "id";
so.Password = "pw";
so.PortNumber = 21;
so.Protocol = Protocol.Ftp;
using (Session sess = new Session()){//do work}
Even though vulnerability to malicious attack is limited in this situation I would prefer a secure session. Lacking a host fingerprint I obtained it via sess.ScanFingerprint(so, "SHA-256") which returned:
16:c0:dd:71:d3:9a:18:be:3f:7a:ed:68:69:c5:71:d6:ba:03:dc:15:82:58:0b:dd:5d:27:3a:58:c1:03:b8:e5
I then ran:
SessionOptions so = new SessionOptions();
so.HostName = "server220.web-hosting.com";
so.UserName = "id";
so.Password = "pw";
so.PortNumber = 21;
so.Protocol = Protocol.Sftp;
so.FtpSecure = FtpSecure.Explicit;
so.SshHostKeyFingerprint = "ssh-rsa 2048 16:c0:dd:71:d3:9a:18:be:3f:7a:ed:68:69:c5:71:d6:ba:03:dc:15:82:58:0b:dd:5d:27:3a:58:c1:03:b8:e5";
using (Session sess = new Session()){// do work}
which throws this error:
FTP conncct error:: System.ArgumentException: SSH host key fingerprint "ssh-rsa 2048 16:c0:dd:71:d3:9a:18:be:3f:7a:ed:68:69:c5:71:d6:ba:03:dc:15:82:58:0b:dd:5d:27:3a:58:c1:03:b8:e5" 
does not match pattern 
/((ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-nistp(256|384|521))( |-))?(\d+ )?(([0-9a-fA-F]{2}(:|-)){15}[0-9a-fA-F]{2}|[0-9a-zA-Z+/\-_]{43}=?)(;((ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-nistp(256|384|521))( |-))?(\d+ )?(([0-9a-fA-F]{2}(:|-)){15}[0-9a-fA-F]{2}|[0-9a-zA-Z+/\-_]{43}=?))*/
   at WinSCP.SessionOptions.SetSshHostKeyFingerprint(String s)
   at WinSCP.SessionOptions.set_SshHostKeyFingerprint(String value)
   at App_UI.Context..ctor(String[] tsArgs) in E:\TLS_SSL Cert Renewal\App_UI\Context.cs:line 58
I've obviously misunderstood something ... any help will be appreciated.
Art H.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
38,408
Location:
Prague, Czechia

Re: (Complete Novice) SshHostKeyFingerprint error

You are mixing FTP TLS certificate fingerprints with SSH/SFTP host key fingerprints. As I do not really understand what are you trying to achieve, I cannot really advice further. Why are you trying to connect with SFTP, if you seem to need to use FTP?

Reply with quote

ritjesman
Joined:
Posts:
3
Location:
BE

Thank you for the response.

I'm creating a WinForms app to automate Let's Encrypt TLS/SSL Cert issuance/renewal. A step is to upload Challenge response files to appropriate folders on my hosted domains which verifies my ownership of the domains. I can do this using FTP but based on what I've read on this site using the unsecured FTP protocol is not advised. Further the hosting provider (namecheap) prefers SFTP, advises against the use of unsecured FTP and disallows FTP on all of their hosting packages except the "basement" package to which I'm currently subscribing. And finally, I've presumed that "more secure" = "better".

As a result I'm trying to understand how to use SFTP but when I change the SessionOptions.Protocol from Ftp to Sftp it throws the
FTP connect error:: System.ArgumentException: SessionOptions.Protocol is Protocol.Sftp or Protocol.Scp, but SessionOptions.SshHostKeyFingerprint is not set.
error which led to SshHostKeyFingerprint research (obviously unsuccessfully). It was my understanding that
string fp = session.ScanFingerprint(SessionOptionsInstance, "SHA-256")
would return the needed fingerprint.

Do I really need SFTP to avoid malicious attacks? If so, how do I find the necessary fingerprint?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
38,408
Location:
Prague, Czechia

For SFTP protocol, the Session.ScanFingerprint cannot return "16:c0:...b8:e5". It should return a string starting the the key type (like "ssh-rsa").

If you got "16:c0:...b8:e5", then it looks like you did call Session.ScanFingerprint with SessionOptions for FTP (actually for secure FTPS) and got TLS certificate fingerprint. You have then manually added unrelated SSH hostkey type prefix "ssh-rsa" and you try to use it for SFTP session. That indeed cannot work.

You have to call Session.ScanFingerprint for the same protocol as for the Session.Open.

Also note that you are using secure FTP, not unencrypted FTP. While most would still consider SFTP better, secure FTP is still ok to use.

Reply with quote

ritjesman
Joined:
Posts:
3
Location:
BE

Apologies for the very delayed response; I had monitored for about a week before concluding you’re probably a “one man show”. Anyway I did find the needed fingerprint using the WinSCP client and have successfully tested SFTP.
A small bit of feedback on the client: I’m unable to figure out how to get all of the “.folder” folders to display. This is a show stopper for me since Let’s Encrypt requires creation folders specifically named “hostRoot/.well-known/acme-challenge/” on the host. End result is I’m still relying on FileZilla
I’m curious about FTP being acceptable. My host (Namecheap) states in their documentation that SFTP is preferred and standard FTP is actually turned off for their business accounts?
Thanx for your time and the useful apps (the client and WinSCP for .NET)

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum