SFTP using Ciphers and Key Exchange

Question

Previously I was gaining access and transferring files (SSIS execute process task) with a .txt file configured as:

option batch on
option confirm off
open sftp://Username:password@hostsite.com:22  -hostkey="ssh-rsa 2222 00:00:00:00:00:0c:00:ee:e0:00:0d:0e:b0:0a:00:00"
option transfer binary
Put -nopermissions -resumesupport=Off   -nopreservetime E:\path.txt /Inbound/path/

Now I'm told to use a new SFTP structure – site name: hostname.com and IP address 100.00.000.000.

I'm provided a list of ciphers and key exchanges for example: ECDHE-RSA-AES000-GCM-SHA000 (Key Exchange=ECDH; Auth=RSA) (I've changed some characters for security reasons)

How do I change the .txt file to use this new way?

Are you sure the new site is supposed to use SFTP and not FTPS? Huge difference. — u1686_grawity, Apr 14 '20 at 17:34
This was in the notes: In the interest of using only the most secure ciphers available, the new SFTP server will exclusively support the following cipher suites: — Kim Avery, Apr 14 '20 at 17:38
Sounds like whoever wrote the notes got a few things mixed up... the problem is that 'cipher suites' are a TLS thing (FTPS uses the same TLS that powers HTTPS) and they just outright don't apply to SFTP (which is SSH-based). And in any case, there are _no_ security reasons to censor their names. — u1686_grawity, Apr 14 '20 at 17:43
Thank you for this. And yes after Googling I see that ciphers don't need to masked for security purposes. I've reached out to folks in my org to get this resolved. — Kim Avery, Apr 14 '20 at 18:22

score 2 · Answer 1 · answered Apr 15 '20 at 06:00

2

As already commented by @Kim, ECDHE-RSA-AES***-GCM-SHA*** is a TLS/SSL cipher suite. TLS/SSL is used by FTP(S). While SFTP uses SSH.

Your script file looks like WinSCP script.

WinSCP supports both SFTP and FTP(S).

Just change your open command to use ftpes:// instead of sftp://. Additionally, the port number will differ, but let's assume that your FTP(S) server uses the standard port. Also -hostkey is not relevant for FTPS.

open ftpes://username:password@example.com/

The rest of the script might stay the same. Though it's possible that the remote path (/Inbound/path/) might need an update too.

Note that contrary to SFTP, the FTP is supported natively by SSIS. So you might use the native SSIS FTP task as well. But that's a larger change, than the simple WinSCP script update.

answered Apr 15 '20 at 06:00

Martin Prikryl

21,071
9
77
157

Thank you Martin. Tried open ftpes:// and I get message ftpes does not exist. Once the remote server's IP address was whitelisted and I updated Winscp I'm able to log onto the remote server via Winscp's UI. But still not able to automate with a script – Kim Avery Apr 28 '20 at 15:20
When I leave it as Open sftp I get the message: Disconnected: Server protocol violation: unexpected SSH2_MSG_UNIMPLEMENTED packet – Kim Avery Apr 28 '20 at 15:21
What version of WinSCP are you using? – Martin Prikryl Apr 28 '20 at 15:21
Ok I changed it to ftps and it seemed to connect, then get different message: Negotiating TLS Connection Connection failed Disconnected – Kim Avery Apr 28 '20 at 15:24
getting version now – Kim Avery Apr 28 '20 at 15:25
Version 5.5.5 I believe. Updated to latest version this morning – Kim Avery Apr 28 '20 at 15:27
Now says can't establish TLS connection – Kim Avery Apr 28 '20 at 15:29
Exact error message please + Ideally a full session log file. + Session log file from UI for comparison would help too. – Martin Prikryl Apr 28 '20 at 15:44
So I'm looking where I can upload a .txt file of the error log. When I put in box...too many characters – Kim Avery Apr 28 '20 at 15:57
*****WARNING********** . 2020-04-23 15:21:48.851 Keyboard-interactive authentication failed ! 2020-04-23 15:21:48.851 Access denied . 2020-04-23 15:21:48.859 Server offered these authentication methods: password,keyboard-interactive . 2020-04-23 15:21:48.859 Attempting keyboard-interactive authentication . 2020-04-23 15:21:48.883 Prompt (keyboard interactive, "SSH server authentication", , "Enter password: ") . 2020-04-23 15:21:55.735 Attempt to close connection due to fatal exception: . 2020-04-23 15:21:55.735 Closing connection. * 2020-04-23 15:21:55.771 (ESshFatal) – Kim Avery Apr 28 '20 at 16:08
So even though the password is in the script I got this message. Also using the UI I enter the password, but it asks me again,then it connects – Kim Avery Apr 28 '20 at 16:10
You can upload the log to https://pastebin.com/ and post a link here - The log snippet you have posted is for SFTP, not FTP(ES). – Martin Prikryl Apr 28 '20 at 16:20
FTPS Script and Error Log has been Pasted – Kim Avery Apr 28 '20 at 16:55
Pasted where? There is the link? – Martin Prikryl Apr 28 '20 at 20:17

score 1 · Answer 2 · edited May 01 '20 at 06:27

So the updated version of WinSCP was 5.17.5. The server's IP address I was transferring the files from was added to the receiving server's whitelist. Then I could connect to the receiving server via WinSCP's UI by entering Host name, username/password (port 22 in my case). In Advanced settings Directories I added the path, in SSH/Key Exchange I ensured ECDH key exchange was at the top of the list and RSA based was 2nd. Login was successful. Then I went to the Session tab - Generate URL/Code, checked include the SSH host key (if not greyed out) then went to the Script tab and it will give you the initial open command that it is using during that session. It will give you the SHA-256 fingerprint of the host key instead of the MD5 we’ve been used to using. Copy to the clipboard, I then used this as the Open line in my script: Example:

Option batch On
Option confirm Off

open sftp://Username:password@hostsite.com/ -hostkey="ssh-rsa 2048 k8L86hrEaiZI+v/fxxxxx/Igxxxxxxx/iF1iKzI=" -rawsettings KEX="ecdh,rsa,dh-gex-sha1,dh-group14-sha1,WARN,dh-group1-sha1"

# Your command 1
# Your command 2
Close
exit

Now my script executes and transfers the file.

I'm glad that you have resolved your problem. But note that you have asked about `ECDHE-RSA-AES000-GCM-SHA000`, what looks like TLS ciphersuite. While your solution uses SFTP, what has nothing to do with TLS. You have something wrong in your requirements. — Martin Prikryl, May 01 '20 at 06:26

SFTP using Ciphers and Key Exchange

2 Answers2