Script to download files from SSH Server

The server's host key is unknown. You have no guarantee that the server is the computer you think it is. Host: securedomain_1.com:22 Fingerprint: ssh-dss 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx Host: securedomain_2.com:22 Fingerprint: ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx Host: securedomain_3.com:22 Fingerprint: ssh-rsa 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx Trust this host and carry on connecting? [ ] Always trust this host, add this key to the cache. [OK] [CANCEL]

Status: Connecting to my.secure.site.com... Response: fzSftp started Command: open "user@my.secure.site.com" 22 [asks for key...] [I manually click OK] Command: Trust new Hostkey: Once Command: Pass: ******** Status: Connected to my.secure.site.com Status: Retrieving directory listing... Command: cd "/SFTP/DIR" Response: New directory is: "/SFTP/DIR" Command: ls Status: Listing directory /SFTP/DIR Status: Calculating timezone offset of server... Command: mtime "IN" Response: 1412312345 Status: Timezone offsets: Server: -18000 seconds. Local: -18000 seconds. Difference: 0 seconds. Status: Directory listing successful

Answers

When connecting to an SSH server, you need to verify that you trust the server's host key. This is to prevent a man-in-the-middle attack.

In WinSCP scripting, you verify the host key using the -hostkey switch of the open command.

open sftp://user:password@my.secure.site.com/ -hostkey="ssh-dss 2048 xx..."

References: Where do I get SSH host key fingerprint to authorize the server?

There's a guide how to convert Windows FTP script to WinSCP SFTP script.

Note regarding the commands in FileZilla log: These commands are proprietary commands of the psftp (what FileZilla uses internally to implement SFTP protocol). They have nothing to do with the SFTP or the SSH protocols as such. Obviously they all map internally to some SFTP requests and you can emulate them all using WinSCP scripting. But the WinSCP commands would be different. Also note that the SFTP, contrary to the FTP, is a binary protocol, so there are no text commands like in the FTP (cd, pwd, etc.)

Martin Prikryl

Posted 2014-11-07T20:02:38.443

Reputation: 13 764

is the -hostkey="" the entire "fingerprint" information that is displayed in the filezilla prompt? also, do you know if i can test "ssh connections" by using openssh, generating a key in linux and then using WinSCP+script in windows? i use linux in virtualbox for python scripting so im familiar with linux/ftp but i would like to do self testing before i start trying to hit the actual production server (not my server). – jes516 – 2014-11-07T20:52:13.203

Yes, it's the entire string. See [http://winscp.net/eng/docs/faq_script_hostkey](Where do I get SSH host key fingerprint for use with scripting?). I assume that "generating a key" you mean "obtaining host key fingerprint" (in the format needed for WinSCP). – Martin Prikryl – 2014-11-07T20:54:15.823

im sorry yes, generate a key in openssh for me to obtain in a windows environment using winscp. would this idea have the same effect as the connection in my original post?..i can do my testing without generating traffic to the production server.. – jes516 – 2014-11-07T20:56:21.693

OpenSSH displays the host key in similar format as FileZilla/WinSCP, except that is does not use the ssh-dss/ssh-rsa key_size prefix. – Martin Prikryl – 2014-11-07T21:00:20.347