Topic "automation of SFTP script when key has passphrase"

Author Message
jamescollett
[View user's profile]

Joined: 2010-04-28
Posts: 11
Location: UK
My objective is to call some SFTP scripts from SSIS packages, but so far I am experimenting with just running a script from a DOS command window. My example does a simple "put" from my Windows XP Pro workstation (with WinSCP installed) to another Windows XP workstation with OpenSSH installed.

I am using RSA private/public key encryption.

When I set up the keys, I entered a passphrase, because I understand that this is good practice.

However, when I run the script, the SFTP program prompts for the passphrase to complete the authorisation. I see no way to inlcude the passphrase in a flag in the "open" command. This makes the process non-automated because it requires user interaction.

Additionally, sometimes I find that I must execute the script *twice* in order for the little text file to be copied from my PC to the remote PC. This seems wrong.

I should be grateful for assistance.
Advertisements
jamescollett
[View user's profile]

Joined: 2010-04-28
Posts: 11
Location: UK
I found the following page in the FAQ collection, entitled, "How can I connect without entering private key passphrase each time?"

https://winscp.net/eng/docs/faq_passphrase

If I undertsand this FAQ entry correctly, it would appear that what I was trying to do will not work with WinSCP; so the answer is to work without a passphrase or to use a different SSH FTP client.

Is this correct?
Question
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
jamescollett wrote:
If I undertsand this FAQ entry correctly, it would appear that what I was trying to do will not work with WinSCP; so the answer is to work without a passphrase or to use a different SSH FTP client.

Correct.
_________________
Martin Prikryl
jamescollett
[View user's profile]

Joined: 2010-04-28
Posts: 11
Location: UK
Okay thanks for that confirmation.
Very Happy
lsager
[View user's profile]

Joined: 2010-05-11
Posts: 5
Location: Austin, TX
I am also curious about the automatic sending of files. I had a similar experience where I scheduled a task using winscp but the process was definitely not automatic because I had to enter my password everytime the task ran. Is there a way to send the password? Would using a batch command allow me to send the password? I am not too worried about security in my instance. I read what was posted by the others and I am led to believe it cannot be done with WINSCP. I am trying the public/private key approach but cannot seem to get it to work yet.

Please let me know your thoughts and ideas.

Thank you in advance for your help.
lsager
[View user's profile]

Joined: 2010-05-11
Posts: 5
Location: Austin, TX
In the article:
How can I connect without entering private key passphrase each time?

I saw the following:

"The best solution is to use authentication agent, so that you enter the passphrase only once.
If you need to avoid entering the passphrase to automate a task (such as with scripting) and using authentication agent is not suitable for you, you can store the key unprotected (without an passphrase). Note that this imposes security risk, if someone gains access to the key."

How do I store the key unprotected?

Thanks for your help.
jamescollett
[View user's profile]

Joined: 2010-04-28
Posts: 11
Location: UK
prikryl, thank you for clarifying the situation for me. I have got this working quite well now.

Isager asked: "How do I store the key unprotected?"

When you create a private key, you can add extra security into the mix by defining a passphrase (this is not the password of a user). This passphrase must be supplied by the user when you make a connexion to the SSH server (unless you use the authentication agent thing - which I have no experience of).

This means that if you want to build an unattended solution using WinSCP you cannot also have a passphrase built into your private key; if you do, you will have to physically enter it interactively. So I simply accepted the reduced level of security and left the passphrase out of process of generating the key pair.

I hope this helps.
lsager
[View user's profile]

Joined: 2010-05-11
Posts: 5
Location: Austin, TX
Thank you so much for responding so quickly.
I think I did what you suggested in your reply. I left the passphrase out when generating the key.

I think my additional difficulty may be in where to put the public key on the server. My sftp server is windows. I do not have a .ssh directory nor can I create one.

What exactly do I have to do to put the public key out on the sftp server? I thought I just copied and pasted the key inot the authenticate_keys file but I am unclear on the process.

Do I have to be running Pageant for this to work?

Please give me as many details as you can. I really appreciate your help.

Thanks.
jamescollett
[View user's profile]

Joined: 2010-04-28
Posts: 11
Location: UK
My dev & test platform is also a Windows environment. I was unable to get a version of SSH for Windows to instal on Windows Server 2003, which was my preferred method, and I have since found out that there are issues with Windows Server 2003, so I ended up using two Windows XP boxes for my development. One acts as the SSH server and one is the client running SFTP/WinSCP.

You have to instal OpenSSH or some other implementation of SSH for Windows on the machine that is to act as the SSH server.

I also could not create a folder called .ssh but I was able to create a folder called SSH within the home folder of the user I used, i.e. C:\Documents and Settings\UserOne\SSH. Inside the SSH folder I put the public key file, called authorized_keys if I remember correctly. This file contains one of more public keys. You should keep your private key file(s) on your client machines.

You have to do a bunch of setup steps with SSH to include users that can be accessed by your client piece. You end up creating a groups file and a password file. The users that you add must correspond to users on the machine or users on the domain. Settng up SSH is a subject in itself and I did the bare minimum, just to get a test scenario running, since in production the SSH part is not my responsibility.

I do not run pageant in my solution so I cannot comment on its use.
lsager
[View user's profile]

Joined: 2010-05-11
Posts: 5
Location: Austin, TX
An odd thing occurred today.
I got the automatic transfer to work without using private and public keys.
What was causing my particular problem was the following line of my script.

Open LauraTest@74.201.223.163
---LauraTest is the session i created in winscp.
When I took out the @74.201.555.689 from the open statement, it no longer asked me for a password. I have the password saved in my session, LauraTest. I think it may have to do with the host key expecting just LauraTest and not finding a match on LauraTest@74.201.555.689.

Now, when I run my scheduled task, it runs perfectly without any requests for password.

Case closed. Thanks for your help.
nickg

Guest


lsager, when you say you have your password saved in your session LauraTest, do you mean an .ini file? I am trying what you suggested but it is not working for me. When I put the actual password in my .ini file, it appears to connect but says "access denied. authentication failed."
danis
[View user's profile]

Joined: 2012-02-20
Posts: 8
Hello prikryl,

is it planned to support entering the passphrase for a private key via command line in a future version of WinSCP?

Thank you.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
danis wrote:
is it planned to support entering the passphrase for a private key via command line in a future version of WinSCP?

As stated in the FAQ below, I do not see a benefit of that. Do you see any?
https://winscp.net/eng/docs/faq_passphrase
_________________
Martin Prikryl
danis
[View user's profile]

Joined: 2012-02-20
Posts: 8
Hi prikryl,
me personally - no!
But my company said, maybe they want to use passphrases for the Private Keys in future.
And then my script is not useful anymore Sad
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
danis wrote:
But my company said, maybe they want to use passphrases for the Private Keys in future.
And then my script is not useful anymore Sad

OK, I see Smile Will consider it.
_________________
Martin Prikryl
Cabritone

Guest


Yeah,
I need to use passphrases for the Private Keys, and whould be great if WinSCP support that !!
Meanwhile I have to use a different client Sad and change all my scripts !
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
danis wrote:
is it planned to support entering the passphrase for a private key via command line in a future version of WinSCP?

This request has been added to tracker:
https://winscp.net/tracker/show_bug.cgi?id=816
_________________
Martin Prikryl
Ganeshgopu

Guest


Hi Prikryl,

As from the post I could understand that your working for a script to include the passphrase. (fully automated script)

Could you please update when we can be able to get the latest fully automated script?

Thanks in advance.
Jam3

Guest


prikryl wrote:
danis wrote:
is it planned to support entering the passphrase for a private key via command line in a future version of WinSCP?

As stated in the FAQ below, I do not see a benefit of that. Do you see any?
https://winscp.net/eng/docs/faq_passphrase


I just wanted to point out that the benefit is that you can store the passphrase inside a SSIS variable and msdb configuration table which can be encrypted. This means pageant doesn't have to be up and running the entire time on a server invoking a SSIS package using pscp/winscp and a private key with passphrase. Another option would be to add a switch to pageant for the passphrase, this would be an extra step in a SSIS pacakage, but would also allow for pageant to not always be running (giving anyone with server access key access) and for the passphrase to be stored/protected in a SSIS package.
ItsMeDattu

Guest


There is a way to connect to sftp which has key and passphrase. We can create a session on winscp and we can use the session name to connect to that sftp . Please find the syntax below.

open <session name created in winscp>

It wont ask for passphrase if you save passphrase for the same.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
ItsMeDattu wrote:
There is a way to connect to sftp which has key and passphrase. We can create a session on winscp and we can use the session name to connect to that sftp . Please find the syntax below.

open <session name created in winscp>

It wont ask for passphrase if you save passphrase for the same.

You cannot save passphrase into stored session (site). Only password.
_________________
Martin Prikryl
moises

Guest


Hello,

I found a solution and I hope will be helpful.


In the Process Task that execute the WinSCP.com you can send the passphrase with the property "StandarInputVariable".
Fadi

Guest


moises wrote:
Hello,

I found a solution and I hope will be helpful.


In the Process Task that execute the WinSCP.com you can send the passphrase with the property "StandarInputVariable".


can you please explain this option more. I am in need to automate with passphrase for my key and running out of options. I really hope this option is added.
Fadi
Speedster

Guest


Hi - I just updated Winscp from something like 5.1 to 5.5 and can no longer locate where to tell the program to use a passphrase instead of a password. Where can I tell winscp to please check a passphrase before logging in? I don't see a field before clicking login, nor in the advanced options. Is this option to use a passphrase for a key really gone?
Thanks!
techmd

Guest


Speedster wrote:
Hi - I just updated Winscp from something like 5.1 to 5.5 and can no longer locate where to tell the program to use a passphrase instead of a password. Where can I tell winscp to please check a passphrase before logging in? I don't see a field before clicking login, nor in the advanced options. Is this option to use a passphrase for a key really gone?
Thanks!

It's a bit convoluted in this version mainly because it seems that Winscp would prefer people to use Pageant to hold the information. To bypass the password as well as the Pageant defaults, on the login screen click Advanced, then Authentication (under SSH), unclick the Pageant option and also pull up the private key file. Could anyone explain what are the pos/neg of having Pageant remember the private key file instead?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
Speedster wrote:
Hi - I just updated Winscp from something like 5.1 to 5.5 and can no longer locate where to tell the program to use a passphrase instead of a password. Where can I tell winscp to please check a passphrase before logging in? I don't see a field before clicking login, nor in the advanced options. Is this option to use a passphrase for a key really gone?
Thanks!

You are looking for Private key file box:
https://winscp.net/eng/docs/ui_login_authentication
_________________
Martin Prikryl
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25034
Location: Prague, Czechia
techmd wrote:
It's a bit convoluted in this version mainly because it seems that Winscp would prefer people to use Pageant to hold the information.

Why do you think so?

Quote:
To bypass the password as well as the Pageant defaults, on the login screen click Advanced, then Authentication (under SSH), unclick the Pageant option and also pull up the private key file. Could anyone explain what are the pos/neg of having Pageant remember the private key file instead?

See https://winscp.net/eng/docs/ui_pageant#security_considerations
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License