We Keep Coding

Certificate Issues while connecting to Amazon S3

My C# code is trying to pull some files from an Amazon S3 bucket. This code works fine on my development as well as on UAT server. However, when I run this on my production server, I get a certificate error.
One difference between the UAT and Production servers is that on UAT there is no restriction on outbound internet access. On Production servers free outbound internet access is not allowed. we open only selective URLs as per requirements.
We have already opened access to s3.amazonaws.com. We have also ensured that this access works fine using WinSCP tool. However, when my code tries to do the same, I get the following error:
WinSCP.SessionRemoteException: Server Certificate Verification Failed: Issuer is not trusted.
The source code is attached below:
s3HostName = Convert.ToString(System.Configuration.ConfigurationManager.AppSettings["s3HostName"]);
s3UserName = Convert.ToString(System.Configuration.ConfigurationManager.AppSettings["s3UserName"]);
s3Password = Convert.ToString(System.Configuration.ConfigurationManager.AppSettings["s3Password"]);
LocalFilePath = Convert.ToString(System.Configuration.ConfigurationManager.AppSettings["LocalFilePath"]);
s3Folder = Convert.ToString(System.Configuration.ConfigurationManager.AppSettings["s3Folder"]);
LocalFileFolder = Convert.ToString(System.Configuration.ConfigurationManager.AppSettings["LocalFileFolder"]);
LocalFolder = LocalFilePath + yesterday + "\\";
SessionOptions sessionOptions = new SessionOptions
{
Protocol = Protocol.S3,
HostName = s3HostName,
UserName = s3UserName,
Password = s3Password,
};
TransferOptions transferOptions = new TransferOptions();
transferOptions.TransferMode = WinSCP.TransferMode.Automatic;
transferOptions.FilePermissions = null;
transferOptions.PreserveTimestamp = false;
using (Session session = new Session())
{
log.Debug("Open session for s3");
session.Open(sessionOptions);
if (!Directory.Exists(LocalFolder))
{
Directory.CreateDirectory(LocalFolder);
}
//to download files
session.GetFiles(s3Folder + "*" + yesterday + ".csv", LocalFolder);
session.Close();
log.Debug("Closed session for s3");
return "Success";
}

Resolved the issue using the oldest trick in the book. Reinstalled WinSCP. Its all working fine now.

Upload file to implicit FTPS server in C# with TLS session reuse

I'm trying to upload file to FileZilla server through ftps by protocol TLS. On the server port 20 and 21 is closed. The only way how I managed to connect to server is by using FluentFTP but I couldn't upload file because of some FileZilla server bug.
https://github.com/robinrodricks/FluentFTP/issues/335
https://forum.filezilla-project.org/viewtopic.php?t=51601
public static void UploadTest(
string pathUploadFile, string addressIP, int port, string location,
string userName, string password)
{
FtpClient ftp;
Console.WriteLine("Configuring FTP to Connect to {0}", addressIP);
ftp = new FtpClient(addressIP, port, new NetworkCredential(userName, password));
ftp.ConnectTimeout = 600000;
ftp.ReadTimeout = 60000;
ftp.EncryptionMode = FtpEncryptionMode.Implicit;
ftp.SslProtocols = SslProtocols.Default | SslProtocols.Tls11 | SslProtocols.Tls12;
ftp.ValidateCertificate += new FtpSslValidation(OnValidateCertificate);
ftp.Connect();
// upload a file
ftp.UploadFile(pathUploadFile, location);
Console.WriteLine("Connected to {0}", addressIP);
ftp.Disconnect();
void OnValidateCertificate(FtpClient control, FtpSslValidationEventArgs e)
{
// add logic to test if certificate is valid here
e.Accept = true;
}
}
Is there any way around without a violating security level? If not is there any other free library which support uploading files with TLS/SSL? I also tried this but it didn't work.
https://learn.microsoft.com/en-us/dotnet/api/system.net.ftpwebrequest.enablessl
Thanks.

You can use WinSCP .NET assembly.
It supports implicit TLS (port 990). And uses OpenSSL TLS implementation (not .NET Framework), so it should not have the problem that FluentFTP has. It definitely works for me against FileZilla FTP server, even with session resumption requirement turned on.
SessionOptions sessionOptions = new SessionOptions
{
Protocol = Protocol.Ftp,
HostName = "ftp.example.com",
UserName = "username",
Password = "password",
FtpSecure = FtpSecure.Implicit,
TlsHostCertificateFingerprint = "xx:xx:xx:...",
};
using (Session session = new Session())
{
session.Open(sessionOptions);
session.PutFiles(localPath, remotePath).Check();
}
(I'm the author of WinSCP)
For more references about the problem, see also Can connect to FTP using FileZilla or WinSCP, but not with FtpWebRequest or FluentFTP.

How to use SFTP connection with key file using C# and .NET

I have a C# .NET project, where am trying to open an SFTP connection to a server and put a file to the server.
I have SFTP hostname, username and key file (.pem file).
I do not have a password here.
Please help me with something to use SFTP in C# and .Net.

Probably every SFTP/SSH library supports public key authentication.
For example:
SSH.NET (NuGet package):
var privateKey = new PrivateKeyFile(#"C:\some\path\key.pem");
var client = new SftpClient("example.com", "username", new[] { privateKey });
client.Connect();
If the private key is encrypted:
var privateKey = new PrivateKeyFile(#"C:\some\path\key.pem", "passphrase");
WinSCP .NET assembly (NuGet package):
SessionOptions sessionOptions = new SessionOptions
{
Protocol = Protocol.Sftp,
HostName = "example.com",
UserName = "username",
SshHostKeyFingerprint = "ssh-rsa 2048 ...=",
SshPrivateKeyPath = #"C:\some\path\key.ppk",
};
using (Session session = new Session())
{
session.Open(sessionOptions);
// Your code
}
WinSCP needs the key converted to PPK format (You can use WinSCP GUI for that, or PuTTYgen). Also note that WinSCP verifies the SSH host key (SshHostKeyFingerprint). SSH.NET fails to do that by default, what is a security flaw.
If the private key is encrypted, add PrivateKeyPassphrase or SecurePrivateKeyPassphrase.
WinSCP GUI can generate a code template for you.
(I'm the author of the library)

I ran into this same issue. The code provided by Martin certainly helped me but, it was missing a couple settings for my needs.
I needed to add a Port Number and a Pass Phrase to fully automate my solution. So code ends up like:
SessionOptions sessionOptions = new SessionOptions
{
Protocol = Protocol.Sftp,
PortNumber = port,
HostName = host,
UserName = username,
PrivateKeyPassphrase = passphrase,
SshHostKeyFingerprint = fingerprint,
SshPrivateKeyPath = privatekeyfile
};

How to SFTP authenticate using password or SSH fingerprint WinSCP C# .NET assembly

I'm trying to connect to a server with a SFTP connection, but I'm trying to authenticate with SSH fingerprint, if this is not correct, then should attempt with the SFTP password.
The issue that I'm having is that need both of them to access to the server, that should be different, if is not the SSH fingerprint, then try with the password, but is not working.
There is a way to validate first the fingerprint and if is not correct, validate the user password?
This is what I have:
public string FilesSFTP_FTP()
{
TransferOptions TransferOption = new TransferOptions();
TransferOperationResult TransferResult;
SessionOptions sessionoptions = new SessionOptions();
Session session = new Session();
if (DataFile.sTransportType == "S")
{
sessionoptions.Protocol = Protocol.Sftp;
sessionoptions.PortNumber = 22;
sessionoptions.SshHostKeyFingerprint = DataFile.sFingerPrint;
}
else if (DataFile.sTransportType == "F")
{
sessionoptions.Protocol = Protocol.Ftp;
sessionoptions.PortNumber = 21;
}
sessionoptions.HostName = DataFile.sIPAddress;
sessionoptions.UserName = DataFile.sUserID;
sessionoptions.Password = DataFile.sPassword;
TransferOption.TransferMode = TransferMode.Binary;
TransferOption.PreserveTimestamp = false;
TransferOption.ResumeSupport.State = TransferResumeSupportState.Off;
session.Open(sessionoptions);
}
There is another property that it need to be set?

You cannot "authenticate with SSH fingerprint".
The SessionOptions.SshHostKeyFingerprint is to verify the server's host key. Not to authenticate the user.
To authenticate the user, you need to use the SessionOptions.SshPrivateKeyPath.
See Understanding SSH key pairs to learn the difference.
As for your question. You can set both the SessionOptions.SshPrivateKeyPath and the SessionOptions.Password. WinSCP will first try the private key, and only if that fails, it will fall back to the password. (Or it will use both, is the server requires that)

Failed to impersonate domain user via C#

I am trying to impersonate remote admin user so that i can perform modifications on the files present on remote Linux machine. But i get error message as Access to the path is denied.
However this thing manually i am able to do via putty using command :
sudo -S -u wtsnqa rm /path-to-file/
Any help is worth appreciable.
My code :
SessionOptions sessionOptions = new SessionOptions
{
Protocol = Protocol.Sftp,
HostName = "sj1slm612",
UserName = "userid",
Password = "password",
SshHostKeyFingerprint = "ssh-rsa 2048 fa:e9:58:24:1b:41:a3:15:63:0d:c0:72:41:5d:51:7a"
};
using (Session session = new Session())
{
// Connect
session.Open(sessionOptions);
// Performing removing files from remote server via impersonation.......
AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);
using (WindowsIdentity Authorized_user = new WindowsIdentity("wtsnqa"))
{
using (WindowsImpersonationContext context = Authorized_user.Impersonate())
{
File.Delete(#"\\sj1slm612\apps\instances\express_13000\configuration\standalone-full.xml");
File.Delete(#"\\sj1slm612\apps\instances\query_13100\configuration\standalone-full.xml");
File.Delete(#"\\sj1slm612\apps\instances\wppapi_13200\configuration\standalone-full.xml");
File.Delete(#"\\sj1slm612\apps\instances\wppgui_13300\configuration\standalone-full.xml");
Console.WriteLine("All config files removed from sj1slm612");
Console.ReadLine();
context.Undo();
}