Configuration issue

Advertisement

JulienPoulain
Joined:
Posts:
6

Configuration issue

Hello,

I have an issue regarding SFTP access. I need to connect to an external SFTP to deliver files to a customer, and the process delivering files needs to migrate from one server to another on my side. Proper requests have been made into my organization to allow the traffic in the firewall for both servers, it has been checked recently and everything looks good. In my side, I don't see any difference in the WinSCP config between both servers.
From both servers, I can connect to the SFTP. But the write operation succeeds only from server A. When connected from server B, I receive an "access denied" message when I try a write operation, but I can connect.
This makes me think about a thing to whitelist on customer's side. A migration already happened in the past, and the project manager certifies that the only required thing at that time was to whitelist IPs on customer's side. Both A and B have the same external IP address (it has been checked), thus the problem is somewhere else.
Last year, I compared the logs produced by WinSCP to see what differs from A and B. You can see below the only relevant differences I spotted. From then to now, I believe some inertia made it to be forgotten by everybody.

Do you have an idea on what could differ between both server that could explain the current situation? Could it be that some Windows registry setting may force WinSCP to not consider using a protocol but another one instead?

Thanks,
Julien

Server A:
. 2023-10-10 19:07:25.030 Have a known host key of type rsa2
. 2023-10-10 19:07:25.045 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2023-10-10 19:07:25.358 Server also has ssh-ed25519/ecdsa-sha2-nistp521 host keys, but we don't know any of them
. 2023-10-10 19:07:25.358 Host key fingerprint is:
. 2023-10-10 19:07:25.358 ssh-rsa 4096 SHA256:blabla
Server B:
. 2023-10-06 20:35:51.926 Have a known host key of type ssh-ed25519
. 2023-10-06 20:35:51.929 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2023-10-06 20:35:52.008 Server also has ecdsa-sha2-nistp521/rsa-sha2-512/rsa-sha2-256/ssh-rsa host keys, but we don't know any of them
. 2023-10-06 20:35:52.008 Host key fingerprint is:
. 2023-10-06 20:35:52.008 ssh-ed25519 255 SHA256:gougou

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: Configuration issue

Different host keys are expected and unlikely to cause the difference in behaviour you are seeing.
On the other hand, neither should firewall have anything to do with it.
It's more likely about file/directory permissions on the servers.

Reply with quote

JulienPoulain

Thanks for the answer. I'm using the same credentials from both servers, and then the same account. So logically access should either work from both or none.
Is it possible that on customer's side they can see some "server ID" that differs between A and B (as they're physically distinct servers) and decide to allow only A but not B?

Reply with quote

martin
Site Admin
martin avatar

It's possible, but it would be rare setup.

Post logs files from both servers showing the same operation with different results.

Reply with quote

JulienPoulain
Joined:
Posts:
6

Hello,

Sorry for the delay of answer. I've had troubles reproducing the described behaviour and seen something I was totally confused about. After discussion with the project manager, I've received an answer that explains everything.
The customer is granting permissions depending on whether filename matches a specific pattern or not. My test was using a different filename to not interfere with the production, making the permission denied.
As for the migration that failed, it was made before I modified the process to not rely on any global config, the "resume support" was activated in the new process making the target file to not match, hence the failure.

So everything explained and now it works fine.

Thanks for your help, and have a nice day

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum