Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

pscp Connection abandoned

3,317 views
Skip to first unread message

Jeff

unread,
Dec 23, 2008, 1:08:41 AM12/23/08
to
Im trying to use pscp on windows to transfer files and Im getting
the following output (verbose) when trying to connect:

$ ./pscp -batch -v 10.10.10.60 ro...@10.10.10.1:/home/app
Looking up host "10.10.10.1"
Connecting to 10.10.10.1 port 222
Server version: SSH-2.0-OpenSSH_4.7
We claim version: SSH-2.0-PuTTY_Release_0.60
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 2d:8f:d5:d2:e8:14:72:86:e6:41:7d:1f:ff:2e:d6:c3
Connection abandoned.
Disconnected: User aborted at host key verification

Ive tried to figure it out on google and the closest thing I can
figure is
something to do with key caching and pageant, though I dont know
anything about pageant other than you can cache keys with it.
I dont know how to use it (via the command line) to clear its cache
though,
even if thats the issue.

Im using pscp.exe stand alone, that is I installed it as a package of
other
programs Im using on a second computer and thats where it wont work,
however its working on my primary (development) machine just fine.

As a sidenote, under cygwin, scp works, but pscp fails per above
output.

Does anyone have any ideas how I can fix this?
Thanks

Jacob Nevins

unread,
Dec 23, 2008, 9:40:58 AM12/23/08
to
Jeff <je...@rahul.net> writes:
>The server's host key is not cached in the registry. You
>have no guarantee that the server is the computer you
>think it is.
>The server's rsa2 key fingerprint is:
>ssh-rsa 2048 2d:8f:d5:d2:e8:14:72:86:e6:41:7d:1f:ff:2e:d6:c3

This must be the first time you have made an SSH connection to this host
from this client machine; PSCP requires a verified host key in order to
continue the connection.

The purpose and details of this procedure are explained in the PuTTY
manual:
<http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter2.html#gs-hostkey>

Normally, PSCP would now ask you whether or not to accept this host key,
but:

>$ ./pscp -batch -v 10.10.10.60 ro...@10.10.10.1:/home/app

[...]


>Connection abandoned.
>Disconnected: User aborted at host key verification

You have specified the "-batch" option, which instructs PSCP not to ask
the user any questions. The only safe option PSCP has in this
circumstance is to abort the connection.

If you remove "-batch" from the command line, PSCP will ask you what to
do with the host key, as described in the link above.

>Ive tried to figure it out on google and the closest thing I can figure
>is something to do with key caching and pageant, though I dont know
>anything about pageant other than you can cache keys with it.

This is nothing to do with Pageant, or the user authentication keys that
Pageant manages.

Jeff

unread,
Dec 23, 2008, 11:55:29 AM12/23/08
to

> This must be the first time you have made an SSH connection to this host
> from this client machine; PSCP requires a verified host key in order to
> continue the connection.
>

Ok that was the issue. Thanks. Im using pscp as part of an
installable
program on windows. Is there any way to automate that first 'yes'
response?
Im obviously doubting there is but I thought I would ask.

Thanks again.

Jacob Nevins

unread,
Dec 23, 2008, 1:05:58 PM12/23/08
to
Jeff <je...@rahul.net> writes:
>Is there any way to automate that first 'yes' response?
>Im obviously doubting there is but I thought I would ask.

No -- deliberately so.

From the PuTTY FAQ:

A.2.9 Is there an option to turn off the annoying host key prompts?

No, there isn't. And there won't be. Even if you write it yourself
and send us the patch, we won't accept it.

Those annoying host key prompts are the _whole point_ of SSH.
Without them, all the cryptographic technology SSH uses to secure
your session is doing nothing more than making an attacker's job
slightly harder; instead of sitting between you and the server with
a packet sniffer, the attacker must actually subvert a router and
start modifying the packets going back and forth. But that's not all
that much harder than just sniffing; and without host key checking,
it will go completely undetected by client or server.

Host key checking is your guarantee that the encryption you put on
your data at the client end is the _same_ encryption taken off the
data at the server end; it's your guarantee that it hasn't been
removed and replaced somewhere on the way. Host key checking makes
the attacker's job _astronomically_ hard, compared to packet
sniffing, and even compared to subverting a router. Instead of
applying a little intelligence and keeping an eye on Bugtraq, the
attacker must now perform a brute-force attack against at least one
military-strength cipher. That insignificant host key prompt really
does make _that_ much difference.

If you're having a specific problem with host key checking - perhaps
you want an automated batch job to make use of PSCP or Plink, and
the interactive host key prompt is hanging the batch process - then
the right way to fix it is to add the correct host key to the
Registry in advance. That way, you retain the _important_ feature of
host key checking: the right key will be accepted and the wrong ones
will not. Adding an option to turn host key checking off completely
is the wrong solution and we will not do it.

If you have host keys available in the common known_hosts format, we
have a script called kh2reg.py[1] to convert them to a Windows .REG
file, which can be installed ahead of time by double-clicking or
using REGEDIT.

[1] <http://svn.tartarus.org/sgt/putty/contrib/kh2reg.py?view=markup>

<http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-hostkeys>

0 new messages