-1

Issue: Whenever a windows batch file (containing command to perform PSFTP) is triggered via Control-M (services started as LocalServiceAccount), the keys are not getting cached and prompts to store the key every time.

Explanation: We are performing file transfer using psftp.exe (Putty). When I execute the batch file using my account, I am able to fingerprint and see the keys getting updated in the Registry (under HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostKeys)

Effort #1: Created a task in TaskScheduler to run the same command (via a batch file) with the user as the LocalServiceAccount and perform the fingerprinting by adding ECHO "Y" | before the psftp command, so that it doesn't prompt for the confirmation. It works, but is only good for test purposes as I don't think it's a good practice when we move to production.

Effort #2: Deleted all the keys and manually added the keys in the registry. It still doesn't work for the LocalServiceAccount, it only works for my account. Fingerprinting is not happening for the LocalServiceAccount.

PsfTP command:

whoami
"C:\Program Files (x86)\PuTTY\psftp" userAccount@HostIPAddreess -i E:\keys\transfer.ppk

(added whoami just to confirm if the user is correct.)

It doesn't matter though if the batch file is triggered via Control-M services (running as LocalServiceAccount) or we run it via the Task Scheduler. In both cases the keys are not getting cached.

Similar Question: Thanks to this post, I got the interim solution to add echo "Y": Putty won't cache the keys to access a server when run script in hudson

The LocalServiceAccount is part of the administrators group on the server, so I'm not sure if there are any permissions on the account that are causing the problem.

Any suggestions on what else I should look for is appreciated.

Cindy Meister
  • 25,071
  • 21
  • 34
  • 43
User M
  • 319
  • 1
  • 3
  • 19
  • 1
    Do not use `echo Y`, that's insecure! Use `-hostkey` switch, as you can see in other answer to that question. – Martin Prikryl Mar 15 '18 at 19:18
  • That's a completely different problem, which has nothing to do with host keys. You may want to read my article [Understanding SSH Key Pairs](https://winscp.net/eng/docs/ssh_keys) – Martin Prikryl Mar 16 '18 at 14:56
  • I did try -hostkey, but it keeps prompting me for password (and I don't have it). I only have the ppk. Maybe something's wrong with the syntax. `plink -ssh userAccount@ServerIP -i key.ppk` and also `plink -ssh userAccount@ServerIP key.ppk` I know I am doing something wrong here... Thanks @Martin Prilkryl , I'll check that link you had shared. – User M Mar 16 '18 at 15:06
  • Got wrong at the basic step ... the keys that are stored in the registry under `HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostKeys` were the ones I added for my ID. The ServiceAccount was under a different folder `HKEYUSERS\s-1-5....\SOFTWARE\SimonTatham\PuTTY\SshHostKeys`. So, the Effort#2 was incorrect. Added the string key and it worked. Didn't had to restart the server as modification was done via 'Connect Network Registry' option - _wasn't aware of it, so thought of sharing it_ – User M Mar 16 '18 at 17:09

1 Answers1

0

LocalService account is not recognized by the security sub-system. It has very limited privileges and presents itself as an anonymous user to the network sub-systems. I would not recommend allowing any off-box access of any kind, to the LocalService account. See the MSDN docs.

jwdonahue
  • 6,199
  • 2
  • 21
  • 43
  • Thanks @jwonahue, this makes sense why the fingerprinting is not happening for this user, but happens for other users. – User M Mar 19 '18 at 19:09