Search code examples
windowsiissshfastcgi

Python script ignoring known_hosts file when connecting to remote server


Setup:A Windows Server, executing php scripts using fastCGI as a service user (i have verified this by doing exec(“whoami”, …)). They launch python scripts using exec (which are also ran as the service user, i have verified this using os.getlogin()) and process the return value as part of their routine.

If I impersonate the service user (open a command line as the service user and connect to the remote server via ssh, it works with no issues, I get the response I want. Same for running the scripts, they terminate with code 0 and give the expected output, not prompting me to confirm the fingerprint, aka they process the known_hosts file)

If the scripts are ran by php I get the unknown fingerprint prompt, which leads to a FastCGI timeout. If I tried to pipe yes to it (echo yes | python script.py) it terminates with an unexpected EOF Error, so that doesn't solve the problem, apart from being a security risk if it worked.

My question would be: what might be a reason for the script ignoring the known_hosts file, when run as the service user via FastCGI, but not when manually ran via the cmd. (And obviously how to solve it) I'd appreciate any input, thanks in advance!

Side Note: I have a testing server, on which I had a similar issue. I was prompted to confirm the fingerprint, but could resolve that by manually running the script once and confirming the fingerprint prompt, as it reads from the known_hosts file there. I have checked the configs and file permissions of both servers multiple times and they appear to be the same (at least I could not spot any differences).


Solution

  • Okay, interesting issue:

    The IIS Application Pool user was actually the service user, but the %USERPROFILE% changed, while on one server it was C:\Users[username], on the other server it was C:\Windows\System32\config\systemprofile. (I am not entirely sure why)

    So the fix I have chosen here was to simply copy the .ssh\known_hosts to the systemprofile folder and grant the service user read-only rights on the file. After doing so it no longer prompted for fingerprint verification, as it now had the fingerprint in the known_hosts file and connected.

    Ty for the suggestions everyone!