Converting WinSCP script to C# code using WinSCP .NET assembly - winscp

I've been downloading files from an external server using WinSCP for over a year by firing out external scripts from my C# code on a daily task run automatically.
I recently upgraded to version 5.5.6 (from V4.3.5.1463) so that I could make use of the .NET library for this and for a new SFTP task have for a different server. The SFTP task on the new server works really well using the .NET library. I'm very pleased with it, but the old script code now fails.
I've tried adding .NET code just to log in and get a list of files and that fails too. However, if I run the winscp UI directly, I can see the files on the server and download them. I used the same details in my code as I did in the UI, including the key. The code is obviously connecting to the server and the key is confirmed, but then fails to authenticate! Can anyone help?
Notes: I have copied the winscp.exe into the same folder as the .NET library. My account doesn't need a password.
I have also created a log file, follows...
Note, for security, in this log, I've changed my username, the connection IP address and the key.
. 2015-01-19 14:24:00.757 --------------------------------------------------------------------------
. 2015-01-19 14:24:00.757 WinSCP Version 5.5.6 (Build 4746) (OS 6.1.7601 Service Pack 1 - Windows Server 2008 R2 Standard)
. 2015-01-19 14:24:00.757 Configuration: nul
. 2015-01-19 14:24:00.757 Local account: SERVER\admin
. 2015-01-19 14:24:00.757 Working directory: C:\Users\admin\Desktop\Debug\Debug
. 2015-01-19 14:24:00.757 Process ID: 4444
. 2015-01-19 14:24:00.757 Command-line: "C:\Users\admin\Desktop\Debug\Debug\winscp.exe" /xmllog="C:\Users\admin\AppData\Local\Temp
\2\wscp0B6C.01408C35.tmp" /xmlgroups /nointeractiveinput /dotnet=556 /ini=nul /log="C:\mylet\website\Temp\WinScpLog.txt" /console
/consoleinstance=_2924_54848996_804
. 2015-01-19 14:24:00.757 Time zone: Current: GMT+0, Standard: GMT+0 (GMT Standard Time), DST: GMT+1 (GMT Daylight Time), DST Start:
29/03/2015, DST End: 25/10/2015
. 2015-01-19 14:24:00.757 Login time: 19 January 2015 14:24:00
. 2015-01-19 14:24:00.757 --------------------------------------------------------------------------
. 2015-01-19 14:24:00.757 Script: Retrospectively logging previous script records:
> 2015-01-19 14:24:00.757 Script: option batch on
< 2015-01-19 14:24:00.757 Script: batch on
> 2015-01-19 14:24:00.757 Script: option confirm off
< 2015-01-19 14:24:00.757 Script: confirm off
> 2015-01-19 14:24:00.757 Script: open -hostkey="ssh-dss 1024 aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa" -timeout=15
"sftp://User#1.1.1.1:22"
. 2015-01-19 14:24:00.757 --------------------------------------------------------------------------
. 2015-01-19 14:24:00.757 Session name: user#1.1.1.1 (Ad-Hoc site)
. 2015-01-19 14:24:00.757 Host name: 1.1.1.1 (Port: 22)
. 2015-01-19 14:24:00.757 User name: user (Password: No, Key file: No)
. 2015-01-19 14:24:00.757 Tunnel: No
. 2015-01-19 14:24:00.757 Transfer Protocol: SFTP
. 2015-01-19 14:24:00.757 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2015-01-19 14:24:00.757 Proxy: none
. 2015-01-19 14:24:00.757 Send buffer: 262144
. 2015-01-19 14:24:00.757 SSH protocol version: 2; Compression: No
. 2015-01-19 14:24:00.757 Bypass authentication: No
. 2015-01-19 14:24:00.757 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2015-01-19 14:24:00.757 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2015-01-19 14:24:00.757 SSH Bugs: A,A,A,A,A,A,A,A,A,A
. 2015-01-19 14:24:00.757 Simple channel: Yes
. 2015-01-19 14:24:00.757 Return code variable: Autodetect; Lookup user groups: A
. 2015-01-19 14:24:00.757 Shell: default
. 2015-01-19 14:24:00.757 EOL: 0, UTF: 2
. 2015-01-19 14:24:00.757 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2015-01-19 14:24:00.757 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2015-01-19 14:24:00.757 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2015-01-19 14:24:00.757 Cache directory changes: Yes, Permanent: Yes
. 2015-01-19 14:24:00.757 DST mode: 1; Timezone offset: 0h 0m
. 2015-01-19 14:24:00.757 --------------------------------------------------------------------------
. 2015-01-19 14:24:00.757 Looking up host "1.1.1.1"
. 2015-01-19 14:24:00.757 Connecting to 1.1.1.1 port 22
. 2015-01-19 14:24:00.804 Server version: SSH-2.0-0.0
. 2015-01-19 14:24:00.804 Using SSH protocol version 2
. 2015-01-19 14:24:00.804 We claim version: SSH-2.0-WinSCP_release_5.5.6
. 2015-01-19 14:24:00.819 Doing Diffie-Hellman group exchange
. 2015-01-19 14:24:01.053 Doing Diffie-Hellman key exchange with hash SHA-1
. 2015-01-19 14:24:01.365 Verifying host key dss 0x91486c77af8989ad 094f4a206efd983a ceeaae78321795b5 db1bf3a553007097 e1c8a86c09b41f62
d93ca9af3dc8b5bd c10b6effc00da737 460fd7cea6c9491c 805ed7e13fbd423f 6ec239a74e66c8ff 16a199166f7076d8 f4e2874eeaf66f6c 6ba4d53436e4fed4
68f44d7062052513 51f4eefc6e64c9f9 42e1fd1dc4c693f1 ,0x952e1dd3f13c9c9c e5d3fe2c7c96c137 173db4c9,0x88fc0112369215b4 0f4c670c3801f5e7
08cbe3a8110c33f4 d6e6bf4880e8baa0 b1f0064f3808ebbc 286727e38bd4737f 32a67cb19b2851cc 58a87fd7166fdd0d 2524be55588b40a2 f78bba20c6db1049
5b36125b0a1a9c94 31ce3c64a23cd028 94624932d350bb4c 056649e7ba10a807 f82037d5a4993340 3f511e923d1e031,0x2499ade72a6348f8 0919ccb5e56c68fd
297191be353b28b7 4a7b5d55d461486d 8b86d0696617a74a a4055e1cf15baa2e 54afbb40223a6f7e 4500d7649bf51410 39a84eb81023d550 4bbd7cea6d4eb8f7
8244bd3e8fa48387 90390b3cf3dd60a7 c45a6ddd967a8165 cf01da8309042e84 62eb7d511dd00348 ce127fdbc371d3c5 with fingerprint ssh-dss 1024
92:ee:83:c2:30:33:de:f4:51:f2:c9:3f:ae:cd:91:9c
. 2015-01-19 14:24:01.365 Host key matches configured key
. 2015-01-19 14:24:01.365 Host key fingerprint is:
. 2015-01-19 14:24:01.365 ssh-dss 1024 aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa
. 2015-01-19 14:24:01.365 Initialised AES-256 SDCTR client->server encryption
. 2015-01-19 14:24:01.365 Initialised HMAC-SHA1 client->server MAC algorithm
. 2015-01-19 14:24:01.365 Initialised AES-256 SDCTR server->client encryption
. 2015-01-19 14:24:01.365 Initialised HMAC-SHA1 server->client MAC algorithm
! 2015-01-19 14:24:01.553 Using username "user".
. 2015-01-19 14:24:01.584 Prompt (7, SSH password, , &Password: )
. 2015-01-19 14:24:01.584 Disconnected: Unable to authenticate
Here's my C# code:
SessionOptions sessionOptions = new SessionOptions
{
Protocol = Protocol.Sftp,
HostName = "1.1.1.1",
PortNumber = 22,
UserName = "user",
SshHostKeyFingerprint = "ssh-dss 1024 aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa"
};
using (Session session = new Session())
{
session.Open(sessionOptions); // the failure happens on this line
}

Many thanks to Martin for reminding me that I had originally setup the calls to this server using a private key that I'd stored in a file and must have set the WinSCP UI to look at it (I'd forgotten).
I found the file on disk and added the link to it in the SessionOptions:
SessionOptions sessionOptions = new SessionOptions
{
...
SshPrivateKeyPath = #"C:\Files\myPrivateKey.ppk"
}
My dotnet code now works, so I'm going to drop my script and use the neater dotnet code, as I intended to do with this update.

It's difficult to tell, what's the difference to 4.3.5, as you didn't share a log from this version, neither your original script.
Anyway, if I understand your post correctly, you are using a public key authentication in WinSCP GUI. But there's no key specified in your .NET code, what's likely the reason, why the authentication fails (there's no private key nor password specified, hence no way to authenticate).
Make sure you set a path to your private key file using the SessionOptions.SshPrivateKeyPath.
Regarding the "key is confirmed". That's server's public key. Make sure you understand the difference between server's key pair used to verify server's identity and your key pair used for authentication.

Related

Cannot connect from one AMI ec2 instance to another

I can connect from my windows PC using putty to my AMI E2C linux instances but I cannot ssh from one instance to another. I get the following error message, I have just copied the last part of the error message:
debug1: Found key in /home/ec2-user/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ec2-user/.ssh/id_rsa
debug1: Trying private key: /home/ec2-user/.ssh/id_dsa
debug1: Trying private key: /home/ec2-user/.ssh/id_ecdsa
debug1: Trying private key: /home/ec2-user/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
the security group for all servers has SSH open to source 0.0.0.0
I have tried creating new ssh keys, ssh-keygen -t -rsa, and copying and pasting the content of the .pub file to /.ssh/authorized_keys file on the other server. But it still does not work.
I have tried copying contents of both files to the other server to /.ssh keeping the same file name and running chmod 600 again both files. But still it does not work.
I cannot believe it, I have been stuck on this issue for 2 days.
On closer inspection of the ID_RSA file I created on the server I wanted to connect to, which I had a copy and pasted the public key from the other server, did not have all of the key pasted. The copy and paste function missed off the first few characters of the key.
Once I put those in the ssh connection worked!
It might be that you're creating key with non-standard name.
This is how I do in this case:
server #1:
$ ls -la ~/
...
drwx------ 2 ec2-user ec2-user 4096 Mar 16 00:27 .ssh
...
$ ls -l ~/.ssh
total 12
-rw------- 1 ec2-user ec2-user 731 Mar 3 16:05 authorized_keys
-rw-r--r-- 1 ec2-user ec2-user 2220 Mar 17 11:39 known_hosts
-rw------- 1 ec2-user ec2-user 3326 Mar 4 00:48 roman.pem
server #2:
$ ls -la ~/
...
drwx------ 2 ec2-user ec2-user 4096 Mar 17 12:10 .ssh
...
$ ls -l ~/.ssh
total 4
-rw------- 1 ec2-user ec2-user 731 Mar 17 12:10 authorized_keys
authorized_keys has only one record and is identical to the one from server #1
This is the command I use for connection from server #1 to server #2:
$ ssh -v <server#2-ip> -i ~/.ssh/roman.pem
As you can see, I use -i to specify full path to key name.
Update:
Also, custom key could be added to ssh-agent on server #1: ssh-add ~/.ssh/roman.pem in order to skip -i switch.

Running bash script on Linux server using WinSCP .NET assembly from PowerShell script

I am currently implementing a PowerShell script to utilize WinSCP .NET assembly in order to access a set of Linux servers, execute a bash script on each server, and copy files. I have successfully implemented the connection and copy functionality for my script (verified by pulling files from each machine), however I am unable to execute the bash script correctly.
I have looked into both ExecuteCommand and call commands, but receive a similar error message for all of the variations that I have attempted.
Error:
WinSCP.SessionRemoteException: Connection has been unexpectedly closed. Server sent command exit status 255.
Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).
Would someone be able to provide an explanation as to why the script connects and copies correctly, but is unable to execute the bash script remotely?
Foreach ($asset in $idAssetArray)
{
# Setup session options
$sessionOptions = New-Object WinSCP.SessionOptions -Property #{
Protocol = [WinSCP.Protocol]::Sftp
HostName = $asset[1]
UserName = $credential.UserName
Password = $credential.GetNetworkCredential().Password
SshHostKeyFingerprint = $asset[2]
}
#
$HostDescription = $asset[0]
$session = New-Object WinSCP.Session
try
{
# Connect
$session.Open($sessionOptions)
# Format timestamp
$stamp = $(Get-Date -f "MMddyyyy")
# Create timestamp directory if DNE
$newDirectory = $stamp
md -Force $newDirectory
# ATTEMPT SCRIPT EXECUTION HERE
# Execute CVA Collection Script on asset
#$runCommand = "./EncariCVA_RedHatLinux_CollectData.sh"
#$session.ExecuteCommand($runCommand)
#$session.call ../tmp/cva/EncariCVA_RedHatLinux_CollectData.sh
$session.ExecuteCommand("call ./EncariCVA_RedHatLinux_CollectData.sh")
# Download the file and throw on any error
$session.GetFiles(
($remotePath + $fileName),
($localPath + $stamp + "\" + $HostDescription + "." + $stamp + "." + $fileName)).Check()
}
finally
{
# Disconnect, clean up
$session.Dispose()
}
}
exit 0
}
catch [Exception]
{
Write-Host ("Error: {0}" -f $_.Exception.Message)
exit 1
}
Log Output:
. 2016-08-09 11:43:24.885 --------------------------------------------------------------------------
. 2016-08-09 11:43:24.885 WinSCP Version 5.9 (Build 6786) (OS 6.1.7601 Service Pack 1 - Windows 7 Enterprise)
. 2016-08-09 11:43:24.885 Configuration: nul
. 2016-08-09 11:43:24.885 Log level: Normal
. 2016-08-09 11:43:24.885 Local account:
. 2016-08-09 11:43:24.885 Working directory: C:\Scripts\CVACollection
. 2016-08-09 11:43:24.885 Process ID: 7860
. 2016-08-09 11:43:24.885 Command-line: "" /xmllog="" /xmlgroups /nointeractiveinput /dotnet=590 /ini=nul /log="c:\Scripts\CVACollection\Log.txt" /console /consoleinstance=
. 2016-08-09 11:43:24.886 Time zone: Current: GMT-5, Standard: GMT-6 (Central Standard Time), DST: GMT-5 (Central Daylight Time), DST Start: 3/13/2016, DST End: 11/6/2016
. 2016-08-09 11:43:24.886 Login time: Tuesday, August 09, 2016 11:43:24 AM
. 2016-08-09 11:43:24.886 --------------------------------------------------------------------------
. 2016-08-09 11:43:24.886 Script: Retrospectively logging previous script records:
> 2016-08-09 11:43:24.886 Script: option batch on
< 2016-08-09 11:43:24.886 Script: batch on
< 2016-08-09 11:43:24.886 Script: reconnecttime 120
> 2016-08-09 11:43:24.886 Script: option confirm off
< 2016-08-09 11:43:24.886 Script: confirm off
> 2016-08-09 11:43:24.886 Script: option reconnecttime 120
< 2016-08-09 11:43:24.886 Script: reconnecttime 120
> 2016-08-09 11:43:24.886 Script: open sftp://X:***# -hostkey="" -timeout=15
. 2016-08-09 11:43:24.886 --------------------------------------------------------------------------
. 2016-08-09 11:43:24.886 Session name: (Ad-Hoc site)
. 2016-08-09 11:43:24.886 Host name: (Port: 22)
. 2016-08-09 11:43:24.886 User name: X (Password: Yes, Key file: No)
. 2016-08-09 11:43:24.886 Tunnel: No
. 2016-08-09 11:43:24.886 Transfer Protocol: SFTP
. 2016-08-09 11:43:24.886 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2016-08-09 11:43:24.886 Disable Nagle: No
. 2016-08-09 11:43:24.886 Proxy: None
. 2016-08-09 11:43:24.886 Send buffer: 262144
. 2016-08-09 11:43:24.886 SSH protocol version: 2; Compression: No
. 2016-08-09 11:43:24.886 Bypass authentication: No
. 2016-08-09 11:43:24.886 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2016-08-09 11:43:24.886 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2016-08-09 11:43:24.886 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2016-08-09 11:43:24.886 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2016-08-09 11:43:24.886 Simple channel: Yes
. 2016-08-09 11:43:24.886 Return code variable: Autodetect; Lookup user groups: Auto
. 2016-08-09 11:43:24.886 Shell: default
. 2016-08-09 11:43:24.886 EOL: LF, UTF: Auto
. 2016-08-09 11:43:24.886 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2016-08-09 11:43:24.886 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2016-08-09 11:43:24.886 SFTP Bugs: Auto,Auto
. 2016-08-09 11:43:24.886 SFTP Server: default
. 2016-08-09 11:43:24.886 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2016-08-09 11:43:24.886 Cache directory changes: Yes, Permanent: Yes
. 2016-08-09 11:43:24.886 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2016-08-09 11:43:24.886 DST mode: Unix
. 2016-08-09 11:43:24.886 --------------------------------------------------------------------------
. 2016-08-09 11:43:24.886 Looking up host "X" for SSH connection
. 2016-08-09 11:43:24.886 Connecting to X port 22
. 2016-08-09 11:43:24.924 We claim version: SSH-2.0-WinSCP_release_5.9
. 2016-08-09 11:43:24.944 Server version: SSH-2.0-OpenSSH_5.3
. 2016-08-09 11:43:24.944 We believe remote version has SSH-2 channel request bug
. 2016-08-09 11:43:24.944 Using SSH protocol version 2
. 2016-08-09 11:43:24.945 Have a known host key of type rsa2
. 2016-08-09 11:43:24.965 Doing Diffie-Hellman group exchange
. 2016-08-09 11:43:24.984 Doing Diffie-Hellman key exchange with hash SHA-256
. 2016-08-09 11:43:25.540 Server also has ssh-dss host key, but we don't know it
. 2016-08-09 11:43:25.540 Host key fingerprint is:
. 2016-08-09 11:43:25.540 ssh-rsa 2048 X
. 2016-08-09 11:43:25.540 Verifying host key rsa2 X
. 2016-08-09 11:43:25.541 Host key matches configured key
. 2016-08-09 11:43:25.542 Initialised AES-256 SDCTR client->server encryption
. 2016-08-09 11:43:25.542 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2016-08-09 11:43:25.542 Initialised AES-256 SDCTR server->client encryption
. 2016-08-09 11:43:25.542 Initialised HMAC-SHA-256 server->client MAC algorithm
! 2016-08-09 11:43:25.616 Using username "X".
. 2016-08-09 11:43:25.635 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2016-08-09 11:43:25.635 Using stored password.
. 2016-08-09 11:43:25.636 Sent password
. 2016-08-09 11:43:25.654 Access granted
. 2016-08-09 11:43:25.654 Opening session as main channel
. 2016-08-09 11:43:25.675 Opened main channel
. 2016-08-09 11:43:25.751 Started a shell/command
. 2016-08-09 11:43:25.752 --------------------------------------------------------------------------
. 2016-08-09 11:43:25.752 Using SFTP protocol.
. 2016-08-09 11:43:25.752 Doing startup conversation with host.
> 2016-08-09 11:43:25.752 Type: SSH_FXP_INIT, Size: 5, Number: -1
< 2016-08-09 11:43:25.772 Type: SSH_FXP_VERSION, Size: 95, Number: -1
. 2016-08-09 11:43:25.772 SFTP version 3 negotiated.
. 2016-08-09 11:43:25.772 Unknown server extension posix-rename#openssh.com="1"
. 2016-08-09 11:43:25.772 Supports statvfs#openssh.com extension version "2"
. 2016-08-09 11:43:25.772 Unknown server extension fstatvfs#openssh.com="2"
. 2016-08-09 11:43:25.772 We believe the server has signed timestamps bug
. 2016-08-09 11:43:25.772 We will use UTF-8 strings until server sends an invalid UTF-8 string as with SFTP version 3 and older UTF-8 strings are not mandatory
. 2016-08-09 11:43:25.772 Limiting packet size to OpenSSH sftp-server limit of 262148 bytes
. 2016-08-09 11:43:25.772 Getting current directory name.
. 2016-08-09 11:43:25.773 Getting real path for '.'
> 2016-08-09 11:43:25.773 Type: SSH_FXP_REALPATH, Size: 10, Number: 16
< 2016-08-09 11:43:25.792 Type: SSH_FXP_NAME, Size: 43, Number: 16
. 2016-08-09 11:43:25.792 Real path is '/home/X'
. 2016-08-09 11:43:25.792 Startup conversation with host finished.
< 2016-08-09 11:43:25.792 Script: Active session: [1] X#X
> 2016-08-09 11:43:26.465 Script: pwd
< 2016-08-09 11:43:26.465 Script: /home/X
> 2016-08-09 11:43:26.545 Script: call bash /tmp/cva/EncariCVA_RedHatLinux_CollectData.sh
< 2016-08-09 11:43:26.546 Script: Searching for host...
. 2016-08-09 11:43:26.547 [Shell] Looking up host "X" for SSH connection
. 2016-08-09 11:43:26.547 [Shell] Connecting to X port 22
. 2016-08-09 11:43:26.572 [Shell] We claim version: SSH-2.0-WinSCP_release_5.9
< 2016-08-09 11:43:26.573 Script: Connecting to host...
. 2016-08-09 11:43:26.595 [Shell] Server version: SSH-2.0-OpenSSH_5.3
. 2016-08-09 11:43:26.595 [Shell] We believe remote version has SSH-2 channel request bug
. 2016-08-09 11:43:26.595 [Shell] Using SSH protocol version 2
. 2016-08-09 11:43:26.595 [Shell] Have a known host key of type rsa2
. 2016-08-09 11:43:26.618 [Shell] Doing Diffie-Hellman group exchange
. 2016-08-09 11:43:26.637 [Shell] Doing Diffie-Hellman key exchange with hash SHA-256
. 2016-08-09 11:43:27.222 [Shell] Server also has ssh-dss host key, but we don't know it
. 2016-08-09 11:43:27.222 [Shell] Host key fingerprint is:
. 2016-08-09 11:43:27.222 [Shell] ssh-rsa 2048 X
. 2016-08-09 11:43:27.222 [Shell] Verifying host key rsa2 X with fingerprint ssh-rsa 2048 X
< 2016-08-09 11:43:27.222 Script: Authenticating...
. 2016-08-09 11:43:27.222 [Shell] Host key matches configured key
. 2016-08-09 11:43:27.222 [Shell] Initialised AES-256 SDCTR client->server encryption
. 2016-08-09 11:43:27.222 [Shell] Initialised HMAC-SHA-256 client->server MAC algorithm
. 2016-08-09 11:43:27.222 [Shell] Initialised AES-256 SDCTR server->client encryption
. 2016-08-09 11:43:27.223 [Shell] Initialised HMAC-SHA-256 server->client MAC algorithm
! 2016-08-09 11:43:27.317 [Shell] Using username "X".
< 2016-08-09 11:43:27.317 Script: Using username "X".
. 2016-08-09 11:43:27.345 [Shell] Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2016-08-09 11:43:27.346 [Shell] Using stored password.
< 2016-08-09 11:43:27.346 Script: Authenticating with pre-entered password.
. 2016-08-09 11:43:27.347 [Shell] Sent password
. 2016-08-09 11:43:27.366 [Shell] Access granted
. 2016-08-09 11:43:27.366 [Shell] Opening session as main channel
. 2016-08-09 11:43:27.388 [Shell] Opened main channel
. 2016-08-09 11:43:27.481 [Shell] Started a shell/command
< 2016-08-09 11:43:27.481 Script: Authenticated.
. 2016-08-09 11:43:27.481 [Shell] --------------------------------------------------------------------------
. 2016-08-09 11:43:27.481 [Shell] Using SCP protocol.
. 2016-08-09 11:43:27.481 [Shell] Doing startup conversation with host.
< 2016-08-09 11:43:27.481 Script: Starting the session...
. 2016-08-09 11:43:27.482 [Shell] Skipping host startup message (if any).
> 2016-08-09 11:43:27.482 [Shell] echo "WinSCP: this is end-of-file:0"
! 2016-08-09 11:43:27.661 [Shell] Can't call method "readline" on an undefined value at /usr/local/share/perl5/Term/Shell.pm line 107.
. 2016-08-09 11:43:27.664 [Shell] Server sent command exit status 255
. 2016-08-09 11:43:27.666 Closing connection.
. 2016-08-09 11:43:27.666 Sending special code: 12
. 2016-08-09 11:43:27.667 Sent EOF message
. 2016-08-09 11:43:27.667 [Shell] Disconnected: All channels closed
< 2016-08-09 11:43:27.669 Script: Connection has been unexpectedly closed. Server sent command exit status 255.
< 2016-08-09 11:43:27.669 Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).
. 2016-08-09 11:43:27.670 Script: Failed
> 2016-08-09 11:43:28.213 Script: exit
. 2016-08-09 11:43:28.213 Script: Exit code: 1
. 2016-08-09 11:43:29.249 --------------------------------------------------------------------------
You should call the script with bash:
$session.ExecuteCommand("bash /path/to/EncariCVA_RedHatLinux_CollectData.sh")
This will grant that:
You'll be, effectively, using bash to call your bash script (e.g, if the shebang is missing).
Even if there are permission issues (executable bit unset), the script will still be executed.
The argument to the Session.ExecuteCommand method is the command to execute on the server.
While the call is a local WinSCP scripting command to execute a command on the server.
The ExecuteCommand(command) calls call command internally. So you are effectively calling call call command.
Just remove the call from the ExecuteCommand.
$session.ExecuteCommand("./EncariCVA_RedHatLinux_CollectData.sh")
Though you need to "type" a password when starting the bash, you would have to feed the password from a redirected input, like:
$session.ExecuteCommand("echo password| bash ./EncariCVA_RedHatLinux_CollectData.sh")
But seeing the "Can't call method "readline" on an undefined value", it actually looks like the script that reads the password has some problems. Possibly due to a non-interactive nature of the WinSCP shell session. But that's just a wild guess. We cannot help you there without knowing more details about the script.

SFTP - overriden permissions (filemask, owner/group)

I am running an OpenSSH sftp-server (Linux, Raspbian) and FileZilla is used as client. The problems I experienced were that the user could delete any file on the server with no regard to the filemask or the owner/group:
User that logs in:
cat /etc/passwd | grep sftp
sftp-guest:x:1001:1004:::/sbin/nologin
Group:
cat /etc/group | grep sftp-only
sftp-only:x:1004:
This is my /etc/ssh/sshd_config - file (shadowed Port):
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port ***33
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#X11Forwarding yes
#X11DisplayOffset 10
#PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Banner /sftp/welcome_message
# Allow client to pass locale environment variables
#AcceptEnv LANG LC_*
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes
Subsystem sftp internal-sftp
Match group *,!sftp-only,!pi
ForceCommand internal-sftp
ChrootDirectory /sftp/empty
Match group sftp-only
ChrootDirectory /sftp/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
As you can see in the sshd_config the user sftp-guest is chrooted into /sftp/sftp-guest.
Here you can see the permissions of the files/folders:
ll /sftp | grep sftp-guest
drwxr-xr-x 3 root root 4096 Dec 20 02:26 sftp-guest
ll /sftp/sftp-guest/
drwxrwxr-x 9 sftp-guest pi 4096 Apr 18 22:18 maturaprojekt
ll /sftp/sftp-guest/data/
---------- 1 sftp-guest sftp-only 205 Apr 18 22:06 readme
---------- 1 root root 205 Apr 18 22:18 readme2
The problem is that both files (readme, readme2) can be deleted with Filezilla or via sftp (commandline). Futher renaming or changing the permissions is possible.
EDIT -->
When trying to view or download these files the transfer fails!
Filezilla-Log:
Command: get "readme" "/tmp/fz3temp-1/readme"
Error: /data/readme: open for read: permission denied
Error: File transfer failed
Command: get "readme" "/home/michael/data/readme"
Error: /data/readme: open for read: permission denied
Error: File transfer failed
<-- EDIT
My question is now how this behavior could be prevented?
The right to delete a file is on the parent folder : if the folder is writable, you can delete a file inside. Try a chmod -w /sftp/sftp-guest/data/ to prevent sftp-guest from deleting the readme files (you can also make them readable to fix your last edit).

Through shell, adding an user with a slash path ("/") as directory : ssh/sftp impossible, even after re-creation of it with a named directory

First, what I'm trying to do is to jail (chroot) the user in a specfic directory for sftp access. I found a great tutorial that made the job, you can find it here : http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/. You should read it first (it's very short) to understand the rest.
With the example in the link, I've no problem to create sftpusers group, guestuser user and lock it to the /sftp/guestuser/incoming directory. Here is how it's done :
groupadd sftpusers
useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
passwd guestuser
chown guestuser:sftpusers /sftp/guestuser/incoming
service ssh restart
What I've tried to do after is to lock another user (we call it "test") from the same group in /sftp/test. So I've created user like this :
useradd -g sftpusers -d / -s /sbin/nologin test
You see, instead /incoming as directory, I've just put "/", then I've changed rights to /sftp/test and restart ssh. But connection fails and give me this error : Write failed: Broken pipe
I thought it was due to the wrong path "/", so I decided to delete user and re-create it with an /incoming directory :
userdel test
useradd -g sftpusers -d /incoming -s /sbin/nologin test
passwd test
chown test:sftpusers /sftp/test/incoming
service ssh restart
But even after, the test user seems to be compromise for ever, because I have the same error when I try to connect through sftp : Write failed: Broken pipe Couldn't read packet: Connection reset by peer
EDIT :
Here is the log file for sshd :
Jan 24 12:46:20 ns sshd[13786]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:46:23 ns sshd[13786]: Accepted password for test from xxx.xxx.xxx.xxx port 37838 ssh2
Jan 24 12:46:23 ns sshd[13786]: pam_unix(sshd:session): session opened for user test by (uid=0)
Jan 24 12:46:24 ns sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Jan 24 12:46:24 ns sshd[13786]: pam_unix(sshd:session): session closed for user test
Jan 24 12:48:17 ns sshd[14103]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:48:19 ns sshd[14103]: Invalid user brad from xxx.xxx.xxx.xxx
Jan 24 12:48:19 ns sshd[14103]: input_userauth_request: invalid user brad [preauth]
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): check pass; user unknown
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Jan 24 12:48:22 ns sshd[14103]: Failed password for invalid user brad from xxx.xxx.xxx.xxx port 42756 ssh2
Jan 24 12:48:22 ns sshd[14103]: Received disconnect from xxx.xxx.xxx.xxx: 11: Bye Bye [preauth]
Check the debug log for sshd. You'll likely find it complain about the home directory for user test not being secure.
The sshd is very strict about access to the user's credentials in $HOME/.ssh and will disconnect when it cannot access the directory, or when it detects permissions that would allow any other account to access it.
sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Make sure that the owner of the directory is the only account that can modify any file in $HOME and below. Pay attention specifically to the group settings

Change local linux password when joined to Active Directory

I have a linux box:
Linux vuappserver 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux
I use SMB + windbind to join to and Active Directory
But right now I try to add a local user:
useradd test
but when I try to change the password I receive this error:
root#server:/home/vu# passwd test
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
I checked the permissions of this files:
-rw-r--r-- 1 0 0 1350 Apr 5 23:17 /etc/passwd
-rw-r----- 1 0 42 941 Apr 5 23:17 /etc/shadow
Any ideas?
Thanks
by default pam_krb5.so set the "minimun_uid" to 1000 in /etc/pam.d/common-*
e.g.:
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
my user had uid=1001 and according to the default setup, kerberos took control (bad thing). In the other hand, the mapping for my AD users was in a higher range (/etc/samba/smb.conf):
idmap config * : range = 10000-40000
So, I adjusted the "minimun_uid" in /etc/pam.d/common-* to 10000, and now I'm happy :-)
If you're in a Windows domain, your authentication configuration (most probably /etc/pam.d/common-auth and /etc/pam.d/passwd) is pointing that to change a password, it must be synchronized with the domain (via Kerberos/LDAP).
You can instruct the passwd command to change a local account by specifying which accounts repository/authentication realm you would like to change:
passwd -r files account_name
Check the man page for passwd on the -r option.

Resources