I am trying to connect up to a WinSCP server using the WinSCP .NET assembly. The problem I am having is that it bombs checking the host key fingerprint. I have created a RSA key. My code is as follows:
var server = new WinSCP.SessionOptions();
server.UserName = "ftp_user";
server.Password = "******";
server.HostName = "192.x.x.x";
server.Protocol = WinSCP.Protocol.Sftp;
server.SshHostKeyFingerprint =
"9f:39:52:d5:08:0c:1d:a8:02:c9:7e:44:49:7f:44:fb";
var session = new WinSCP.Session();
session.Open(server);
At the SshHostKeyFingerprint
property assignment I get the following error:
SSH host key fingerprint "9f:39:52:d5:08:0c:1d:a8:02:c9:7e:44:49:7f:44:fb" does not match pattern /(ssh-rsa |ssh-dss )?\d+ ([0-9a-f]{2}:){15}[0-9a-f]{2}(;(ssh-rsa |ssh-dss )?\d+ ([0-9a-f]{2}:){15}[0-9a-f]{2})*/
If I am reading this right it is checking for 15 2 character sets, and I am assigning a 16 set value. I got this value from the server.
UPDATE:
What I was missing was the fingerprint type (ssh-dss
or ssh-rsa
) and its size (1024
, 2048
etc.). Therefore, the answer is as follows:
server.SshHostKeyFingerprint =
"ssh-rsa 1024 9f:39:52:d5:08:0c:1d:a8:02:c9:7e:44:49:7f:44:fb";
If I am reading the regular expression correctly it does not give you any idea that you need the fingerprint size after the fingerprint type.
I hope this helps someone else. Thanks everyone for your insight and input.
If you already have verified the host key for your GUI session, go to a Server and Protocol Information Dialog and see a Server Host key Fingerprint box. You can have WinSCP generate the script or code for you, including the -hostkey switch or SessionOptions. SshHostKeyFingerprint property.
The quickest way to obtain it would be to login to your SSH/SFTP server from a locally installed client application, i.e. installed on the same machine as your server. That way, you can be absolutely sure you're safe from man-in-the-middle attacks. Copy that fingerprint and save it where you can easily access it.
The host key is a public key of your SSH server. It has nothing to do with the key pair you generate for authentication to the server. What goes to the -hostkey switch is a fingerprint of the server's public key – Just follow the switch documentation. You use it to verify the server identity to avoid MITM attacks.
Generating Keys To generate a key pair, use the PuTTYgen application. You can start PuTTYgen directly from Authentication page of Advanced Site Settings dialog. If you start PuTTYgen this way, WinSCP will automatically pick up the generated key.
You are missing the ssh-rsa
prefix (it's optional only seemingly) and a key size.
You can get the fingerprint in the correct format on Server and Protocol Information Dialog:
Though the easiest way is to WinSCP GUI function to generate a code template with the correct value.
For details see Where do I get SSH host key fingerprint to authorize the server?
Note, that it's actually looking for 16 pairs (15 pairs followed by a colon and one trailing pair).
Upcoming WinSCP 5.16 will allow using only the checksum as you did. Though it is not recommended to omit the key type prefix anyway. Without the prefix, WinSCP may agree with the server on another (better) host key type, than the one for which you have the checksum. And the verification will then obviously fail.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With