Why does FileZilla work without knowing any keys, but WinSCP doesn't?

Question

I got the connection details of a SFTP server, connected to it with FileZilla, and then successfully downloaded a file from that SFTP.

The only details I had was host, port, user and pass.

Now I'm trying to connect to this same server trough WinSCP .NET assembly (C#)

using(Session session = new WinSCP.Session()) {
    session.Open(new SessionOptions() { 
        Protocol = Protocol.,
        HostName = "ftp.*********.be",
        UserName ="*****",
        Password ="*****"
    });

    TransferOptions transferOptions = new TransferOptions();
    transferOptions.TransferMode = WinSCP.TransferMode.Binary;
    TransferOperationResult transferResult;
    transferResult = session.GetFiles("/downld/fileonserver.dbf",@"c:\testfolder\localfilename.dbf", false, transferOptions);

Whatever I try here it keeps asking for a key for SSH, but I don't have that key, I generated a 128 bit RSA key somewhere online and put it in the session options like:

SshHostKeyFingerprint = "ssh-rsa 1024 82:09:12:b4:93:92:3a:61:10:90:61:12:b4:XX:XX:XX"

But this just tells me that key is invalid.

I kind of figured out that I maybe need the public/private SSH key from the server to get this to work but I sadly don't have access to this server.

Since FileZilla can connect to it without me entering any KEYS, why can't my C# program do the same?

I'm not an expert when it comes to security related stuff, so please point me in the right direction. I found this thread but I don't have access to .ssh folder on the FTP server and I don't really get where they are going with this.

Answer 1

1. You are confusing the SSH server public host key verification with the client public key authentication. These are two completely different things. This first involves the public key of the server, while the latter involves your account public key.

   Read about SSH Key Pairs to learn the difference.

2. FileZilla cannot connect without verifying the server's public host key either. On the first connection it always prompts you to accept the key. Once you do, it optionally caches the key and won't prompt you again, unless the key changes.

   

   You have probably forgotten that you got this prompt before or someone else connected to the server before from your machine.

   Any SSH (SFTP) client must do the same. You are losing any security had you not verified your server's host key.

3. You should get the host key fingerprint from your server administrator.

   If you had not, you can see it on WinSCP Server and Protocol information dialog.

   For details see WinSCP FAQ Where do I get SSH host key fingerprint to authorize the server?

Answer 2

I solved this by just copying the SSH key returned to my FileZilla client into my C# app. I don't know if this is the right thing to do, but at least it got my solution working now.

It was also an SSH-DSS key 2048 key instead of an SSH-RSA 1024, and that's why messing around with the keys kept failing I guess.