0

I can see that this is a question which has been asked from time to time, but was hoping someone may be able to offer some specific advice.

I run a bespoke PHP application, I have recently moved to a new server and it is now hosted on an Ubuntu 22.04.4 LTS server which has ISPConfig 3 installed on it. It downloads files hourly from a number of remote FTP servers - which works seamlessly. However one source has been updated and can only be download from an SFTP server. This change was made several years ago and a colleague, with much more experience than I, wrote a CURL script (which I dont fully understand) and this was able to download the files from the SFTP server.

Since this was created, I have migrated to new servers on a couple of occasions and when I ran the CURL script on the new server to download from the remote FTP server it came up with a question (I cant remember the exact wording as it was a while ago), but it was something like 'SSH fingerprint doesn't match, accept and add exception'... once I accepted this, the script worked fine from then on.

I have just migrated to another new server, details above, and this time I didn't get the question about accepting and creating an exception and when the CURL script runs, it creates the local file... but fails to download, so I end up with the remote file created on the local server but it is 0 bytes in size.

I have spent months reading and trying different methods of downloading from remote SFTP servers but have not been able to get this to work.

I have spoken to the administrator of the remote SFTP server, to see whether they can upload their files to my server, but this is not an option and they can only offer an SFTP collection. They did send me a link to download their certificate and public key - which I suspect will fix the CURL script... but I am not sure what to do, or where to import these.

So... my question is - can anyone advise what to do with these files, in my setup outlined above?

Alternatively, is there a better way to collect files from an SFTP server using another solution, Filezilla or similar... if so, can anyone assist with setting it up? I mention Filezilla as I have used it in a Windows environment previously.

Any help greatly appreciated as I have been struggling with this for months and it is stopping my new production server going live!

Thanks

UPDATE 1:

I have taken a better look today at work and when I get the response;

The authenticity of host 'xxxx.xxxx.com (xx.xx.xxx.xx)' can't be established. RSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])?

I have accepted [yes] and get the following response;

Warning: Permanently added 'xxxx.xxxx.com' (RSA) to the list of known hosts.

However, when I try to run the CURL script, it does exactly the same... so, from the command line I have connected to the remote SFTP server using;

ssh username@xxxx.xxxx.com

This asks me for a password... however when I use my password, which works on the current production application, I get a permission denied error!

I am certain that the username and password are correct, but am in the process of double checking... but just wondered whether you have any thoughts in case I am missing something obvious?

UPDATE 2:

I just tried connecting from the existing server, where the CURL script works and I get this response to;

ssh username@xxxx.xxxx.com

Warning: the RSA host key for 'xxxx.xxxx.com' differs from the key for the IP address 'xx.xx.xxx.xx' Offending key for IP in /root/.ssh/known_hosts:1 Matching host key in /root/.ssh/known_hosts:3 Are you sure you want to continue connecting (yes/no)?

So this makes me think that the RSA key fingerprint permanently added to the list of known hosts is different from the one added to the list of known hosts on the new server... is it possible to copy this from the old server to the new one... or am I over simplifying this?

Thanks

Slimat
  • 1
  • When you use ssh/sftp for the first time from your computer to the remote computer. The remote computer creates a fingerprint of your computer. As you moved to a new computer (server) that fingerprint would be won't match. Once you enter "yes" the remote computer will create a new fingerprint. Now if you try to use the old server, the fingerprint of the old server will not match the newly created fingerprint of the new server in the remote computer. If you enter yes again, the fingerprint will be changed to the old server and it will not match the new server. – user68186 Mar 13 '24 at 14:59

1 Answers1

0

SFTP is based on the SSH protocol. You can try making a connection to the host with ssh <username>@<host>. If this connection also fails, it should give you a more detailed error. If it complains about a changed public key, you can remove the incorrect key in ~/.ssh/known_hosts.

As an answer to update 1: you might ultimately get a permission denied error when trying to connect via SSH since the server might only allow SFTP after logging in and not allow you to execute any commands via SSH.

As an answer to update 2: it looks like the correct key is in known_hosts (Matching host key in /root/.ssh/known_hosts:3) but it also contains an offending host key (Offending key for IP in /root/.ssh/known_hosts:1). You could try to remove line 1 from your known_hosts and see if that resolves the warning.

Wilco
  • 11
  • Thanks @Wilco, when I run this from the command line I get;

    The authenticity of host 'xxxxx.xxxxx.com (xx.xx.xxx.xx)' can't be established. RSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])?

    Which looks very promising... I will play with this today at work and see if I can get it working again.

    I will post feedback later, in case it helps anyone with the same problem in the future :-)

     – Slimat Mar 13 '24 at 08:45