Is there a way to automatic accept host keys while making a SSH connection with WinSCP. I am using winscp.com version 4.2. I understand that -hostkey=* is only available since version 5.2.
My current script just waits for the prompt and does not go forward once the host keys are changes. Is there any way to automate?
The only appropriate solution for you is to upgrade. WinSCP 4.2 is years old and as such it suffers many security flaws.
And obviously, as a side effect, you get the -hostkey=* "feature".
The only way to automatically accept host key in versions prior to 5.2 is to use the -hostkey=<fingerprint>. And that's still the only CORRECT and SECURE solution.
For details, see Where do I get SSH host key fingerprint to authorize the server?
Related
I just created my first VPS host on OVHcloud. When I ssh for the first time I see:
The authenticity of host 'X.X.X.X (X.X.X.X)' can't be established.
ECDSA key fingerprint is SHA256:<the-fingerprint>.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Is there a way to verify this fingerprint? I know that people most of the time ignore the possibility of a MITM here and skip the check. But most of the time the first connection happens within an internal network, which isn't the case here.
Alternatively I'd be happy to upload an ssh public key to the server using the web manager. But I haven't found a way to do that.
The answer is yes.
I just discovered you can connect to the KVM directly from the OVH manager, thus connecting through tty1.
Go to your OVH manager, and in your VPS page, there should be a part that says "Name". There is then an option in the dropdown menu, "KVM" which let's you locally connect to your VPS through a QEMU instance.
You can get your fingerprints after logging in in this manner.
The answer is no for both questions:
When OVH spawn your VPS, they don't check/gather the auto generated ECDSA key (the ones in /etc/ssh/ssh_hosts_ecdsa*). So for the first connection, there is no way to verify this fingerprint.
For the SSH key upload through the OVH Manager, this is sadly not possible neither. You have to upload it by yourself with ssh-copy-id root#vpsXXX.
Note that it's possible on OVH's Public Cloud Instances, but not for VPS
I am getting error while trying to do ssh gcloud instance.
I have removed old ssh key and regenerated new ssh key and tried to connect but still the problem remains as it is.
Please share your suggestions.
Check whether the port 22 is open in the firewall for that specific instance. You can follow this document to manage your firewall rules. You can try connecting via serial console instead. The issue you are facing could arise due to many different reasons. It is worth trying different troubleshooting steps for SSH connectivity.
If you created new SSH key properly then check if you added the key to your instance or project-wide metadata. This article is a good read.
I'm working on a project that requires me to run my code on a remote Unix server, that is not available to connect to directly (you first have to log in to the "gate" node and then to this server).
What's really bad is that they disabled key authentication, so each time I need to ssh into it, I have to type in my password twice. It's really annoying and I wonder what's the best way to transfer my local modifications of source files to this server, compile and run them without having to provide those passwords so many times.
I have no sudo access to any of those servers (neither to this "gate", nor to this target server). Any ideas on how to make the whole process more efficient?
EDIT: Martin Prikryl provided a great answer below, but it's suitable for Windows and I'm on a Mac :) I guess it might be a good thing to have it documented here also for *NIX systems.
You are looking for SSH tunneling.
WinSCP SFTP client supports one-hop SSH tunneling natively.
See the Tunnel page on WinSCP Advanced Site Settings dialog.
I assume that after you transfer the file, you need to open SSH terminal to compile the file.
You may be able to make use of WinSCP Console window for that step.
Alternatively, if you need/want to use a real SSH terminal client, make use of an existing SSH tunnel, created by WinSCP, and connect with PuTTY (or any other SSH client) over it.
In the Local tunnel port of WinSCP Tunnel page, select a fixed port number (instead of the default Autoselect). In PuTTY enter "localhost" to Host Name and the selected port in Port.
(I'm the author of WinSCP)
I am trying to connect to Unix server from WinSCP commandline for the first time.
It closes with the the following error:
The server's host key was not found in the cache. You have no guarantee that the
server is the computer you think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 42:9e:c7:f4:7f:8b:50:10:6a:06:04:b1:d4:f2:04:6d
If you trust this host, press Yes. To connect without adding host key to the cac
he, press No. To abandon the connection press Cancel.
In the WinSCP commandline, it does not ask for any input (Yes or No). It closes with Authentication failed. If I connect through the WinSCP tool, I'll get the same error. However, I'll be able to press YES.
I also know that If I add -hostkey switch in the command line, I'll be able to connect. But, I don't want pass hostkey in my batch script as I will be connecting to various servers. So, my requirement is to pass "YES" input from the commandline in case of this error. Can someone help?
A host key fingerprint verification is a crucial step in securing your SSH connection. Even if you are using a set of sessions with your script, it does not excuse you. The fingerprint should be part of a set of information you have for each of the sessions (in addition to a hostname, an username and a password).
Skipping the fingerprint verification means that you lose any security and there's no point using an SSH/SFTP anymore.
Anyway, if you do not care about a security, you can use the -hostkey=* switch to unconditionally accept any host key.
Further references:
Where do I get SSH host key fingerprint to authorize the server?
Verifying the host key
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Is there any way to execute a ssh connection with out use interactive password autentification and non public keys, I need too run a command in the remote server all this with out manual intervention, I know that i can use a script but I donĀ“t have any example. The application will be running in different machines so it's a bit hard creating a key public for every machine.
Everything is possible with the right configurations, but there are some security points to consider.
You certainly don't want everyone on the net to be able to execute any command on your server. So simply allowing everything is not a good idea.
Everyone who has your application on a computer in her control can do everything what your application can do ... and maybe more, if the application has limits only build in itself, not the server side.
You can distribute a private key with your application (and pass to SSH on connection), but of course then anyone having the application can extract this key. (If the application can access it, so can do any attacker who has control over it.)
You could also distribute a password with your application and somehow pass it to ssh, but still, in principle anyone who has the application can get the password.
If there is always the same command to be executed (maybe with different inputs), you can force this specific command at the server-side - for example, for a specific public key in the authorized_keys file. Or you could create a SSH subsystem and only allow this by server configuration.
On the server side, you can put additional limits by IP address or host name, but this is not really secure (IP adresses can be faked, for example). If the computers on which the application is to be run have already existing SSH installations, they should have host keys, and maybe you can do host authentication. But this is still only really useful if these hosts are under your control, more or less.
For security issues, a password (if you don't use a certificate) will always asked to you interactively, unless you configure server in an advanced way.
You can use a certificate, by inserting password one time.
Take a look at this
On debian, a tool exists for this and it's called sshpass (a noninteractive ssh password provider)
It comes with lots of warnings and caveats though! Be sure you assess the risks properly before continuing down this path...