6

I am trying to connect up to a WinSCP server using the WinSCP .NET assembly. The problem I am having is that it bombs checking the host key fingerprint. I have created a RSA key. My code is as follows:

var server = new WinSCP.SessionOptions();
server.UserName = "ftp_user";
server.Password = "******";
server.HostName = "192.x.x.x";
server.Protocol = WinSCP.Protocol.Sftp;
server.SshHostKeyFingerprint =
    "9f:39:52:d5:08:0c:1d:a8:02:c9:7e:44:49:7f:44:fb";

var session = new WinSCP.Session();            
session.Open(server);

At the SshHostKeyFingerprint property assignment I get the following error:

SSH host key fingerprint "9f:39:52:d5:08:0c:1d:a8:02:c9:7e:44:49:7f:44:fb" does not match pattern /(ssh-rsa |ssh-dss )?\d+ ([0-9a-f]{2}:){15}[0-9a-f]{2}(;(ssh-rsa |ssh-dss )?\d+ ([0-9a-f]{2}:){15}[0-9a-f]{2})*/

If I am reading this right it is checking for 15 2 character sets, and I am assigning a 16 set value. I got this value from the server.

UPDATE: What I was missing was the fingerprint type (ssh-dss or ssh-rsa) and its size (1024, 2048 etc.). Therefore, the answer is as follows:

server.SshHostKeyFingerprint =
    "ssh-rsa 1024 9f:39:52:d5:08:0c:1d:a8:02:c9:7e:44:49:7f:44:fb";

If I am reading the regular expression correctly it does not give you any idea that you need the fingerprint size after the fingerprint type.

I hope this helps someone else. Thanks everyone for your insight and input.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Jim
  • 149
  • 2
  • 11

2 Answers2

7

You are missing the ssh-rsa prefix (it's optional only seemingly) and a key size.

You can get the fingerprint in the correct format on Server and Protocol Information Dialog:

Server and Protocol Information Dialog

Though the easiest way is to use WinSCP GUI function to generate a code template with the correct value.

For details see Where do I get SSH host key fingerprint to authorize the server?

Note, that it's actually looking for 16 pairs (15 pairs followed by a colon and one trailing pair).

Since WinSCP 5.16 actually allows using only the checksum as you did. Though it is not recommended to omit the key type prefix anyway. Without the prefix, WinSCP may agree with the server on another (better) host key type, than the one for which you have the checksum. And the verification will then obviously fail.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
2
/(ssh-rsa |ssh-dss )?\d+ ([0-9a-f]{2}:){15}[0-9a-f]{2}(;(ssh-rsa |ssh-dss )?\d+ ([0-9a-f]{2}:){15}[0-9a-f]{2})*/

This looks for 15 pairs of hex digits with a colon after each pair, then one more pair that doesn't have a colon. So it's not 15/16 that is your problem. It's the rest of it.

There are a bunch of optional components, but the mandatory component you're missing is the \d+ before the hex. It's a decimal number, apparently representing the key size, which will probably be something like 1024 or 2048 or 4096. Put it first, then a space, then your hex stuff.