1

I have a Windows Server 2003 box and it is using psftp to connect to a remote linux machine and download files every hour.

Picture 1.png

I have two main challenges with this machine:

First

Scheduled tasks are currently set to run as a user on this box, which I believe requires storing the user's password in the task scheduler. However when the user's password changes the task fails to run. I'd like to have this task always run regardless.

  • I believe the solution to the first problem is to have the scheduled task run as SYSTEM. Is that correct? If so, how do I set this up? Just type SYSTEM in the "Run as" box? And do I need to set a password for SYSTEM because I believe I tried with no password and it said the job did not run because the password was incorrect. Perhaps I am doing this wrong.

Second

Putty requires that the remote key for a server is stored in the registry to verify the server's authenticity. However this seems to be stored on a per-user basis and so if I switch the script to run as a different user it seems the user must run the script interactively the first time so that the key is stored in the registry.

  • Instructions on the putty website mention that keys should be added to the following registry location:

    HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

But judging from "HKEY_CURRENT_USER" I don't think that will be for the SYSTEM user. If I do set up this task to run as SYSTEM, how can I make sure that the appropriate key is stored in the registry for the host? I don't mind manually adding it (there is a perl script to convert a known_hosts file), but where should it go?

ps: myscript.bat just uses psftp.exe to pull files from a remote server. Nothing special. There is no flag to skip checking authorized hosts, and the folks at putty mention that this would be a bad idea anyhow.

Community
  • 1
cwd
  • 2,763
  • 9
  • 33
  • 48

5 Answers5

4

I believe the solution to the first problem is to have the scheduled task run as SYSTEM. Is that correct?

Generally you should only run something as SYSTEM if it actually needs that absolute level of privileges. A much better choice might be to setup a service account just for this task. Then you may want to disable password expiration for the account, or setup a notification schedule to remind you to update the service account password & task details.

You You can of course temporarily login to this service account so you can accept the SSH key the first time.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • I think the user account for tasks is a great solution, thanks! Out of curiosity though, is it possible to schedule it as SYSTEM, and do you need a password? – cwd Dec 06 '11 at 18:46
  • It is possible, SYSTEM does not have a password. I haven't used xp/2003 in a while, I am not sure the correct method to create a SYSTEM task. Try machinename\SYSTEM maybe? – Zoredache Dec 06 '11 at 18:48
3

Use pscp.exe -batch -load PROFILE on the command line. Set up a profile for your connection using a ssh-key-pair for that profile and then use that profile.

The user-account you use for this should be local, but it does not require any special privileges (just read for the key and write for the files).

Try pscp -h for all command switches.

Nils
  • 7,695
  • 3
  • 34
  • 73
  • this looks looks pretty good. i will have to give it a try. any links on how to set up a profile? have not done that yet. – cwd Dec 06 '11 at 22:45
  • I would use interactive Putty to set up the profile. The most important settings are target machine-name, type of ssh-protocol (2 only should work nowadays), compression on/off, login-name, private key file. – Nils Dec 08 '11 at 22:07
2

I realize there's already an accepted answer for this question, but I thought I'd throw in the answer to where the SYSTEM account's user registry hive is located. It's actually in HKEY_USERS\.DEFAULT which most people incorrectly assume is the default user hive for newly created accounts. More info on the history and background of the key is on Raymond Chen's MSDN blog here:

The .Default user is not the default user

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • This seems to be the best answer. I set up a profile in putty, ran the script manually, accepted the key, and then copied the values from `HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys` into the corresponding default user @Ryan Bolger mentions, and it is working very well. Tried setting up another user on the system, but with the way permissions are set they would need to be an administrator to run scheduled tasks and I don't want to add a local administrator account, nor do i wish to rewrite user permissions with group policy or something like that. Running as system seems ok. thx! – cwd Dec 21 '11 at 04:15
0

I wouldn't use system like this. I'd just create a new user called puttyservice, set it to never expire, and off you go. Obviously, you'd use this new users profile.

I'd also consider installing a more robust solution like Cygwin and use the OpenSSH version of ssh, instead of putty. That's the standard version on every linux system out there and might be more robust and easier to work with than putty. Of course you lose the GUI, but that shouldn't matter in terms of scripting.

DrZaiusApeLord
  • 1,174
  • 2
  • 9
  • 18
0

I know this is an old post, but I'm putting this answer in here to help other users with the same problem.

The putty suite of utilities (plink, pscp, psftp, etc.) have a -hostkey option. This allows you to include the hostkey of the target server without having to go through the trouble of copying regkeys to other accounts (like SYSTEM).

pscp.exe /? will show you the proper syntax.

-hostkey xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

You can obtain the hostkey by initiating a putty session with the target server once under a regular user account.

From the command line it will look something like this:

The server's rsa2 key fingerprint is:
ssh-rsa 2048 7b:e5:6f:a7:f4:f9:81:62:5c:e3:1f:bf:8b:57:6c:5a

usage:

pscp.exe -hostkey 7b:e5:6f:a7:f4:f9:81:62:5c:e3:1f:bf:8b:57:6c:5a -batch -i your-private-key.ppk C:\source.file user@10.10.10.10:/var/www/html/

This works when run as a Scheduled Task running as the SYSTEM account.

I hope this is helpful to someone.

LedHed
  • 1