Automating SSH, SFTP, and SCP with Windows Scheduled Tasks

  • 7021931
  • 18-Jul-2008
  • 01-Apr-2018

Environment

EXTRA! X-treme version 9.2 or higher
Reflection for HP with NS/VT version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection for UNIX and OpenVMS 2011
Reflection for UNIX and OpenVMS 2014
Reflection 2014
Reflection for Secure IT Windows Client version 7.1 or higher

Situation

This technical note describes how to automate SSH, SFTP, and SCP connections using the Windows Scheduled Tasks utility and executable command line syntax supported by Reflection and Extra! terminal emulation products.

Resolution

Automating SSH, SFTP, and SCP connections using the Windows Scheduled Tasks utility and the command line requires the following steps:

Note: If the Windows account that is used to run the task is a member of the Administrative group, skip both Step 3 and Step 4. There is no need to add privileges to the Administrative account. However, if your company security policy prohibits running a task with an account that is part of the Administrator's group, follow Step 3 and Step 4 to amend the account permissions.

Step 1: Configure Public Key Authentication with a Blank Passphrase

  1. Launch the Reflection FTP client.
  2. Under “Connect to FTP Site,” click New.
  3. Enter the name of the host you will be connecting to. Click Next
  4. Under “Login Information," click the Security button.
  5. Click the “Secure Shell” tab.
  6. If “Use Reflection Secure Shell” check box is not already checked, select it.
  7. Click Configure.
  8. On the User Keys tab, click Generate.
  9. Select the key type and length required to satisfy your corporate security policy. Select the No passphrase check box, and then click Create. Click Save. The new private key appears in the User Keys list.
  10. Verify that the new key is selected (a check mark is displayed in the Use column).
  11. Click Upload, and follow the prompts to upload the public key to the remote host. You will most likely be prompted for a password during this process.
  12. Once the upload process has completed, click OK.
  13. Click OK to close the “Security Properties” dialog box.
  14. In the Login Information dialog box, click Next.
  15. In the User name field, enter the user name that should be used for the automated transfers. Click Next.
  16. Click Finish. By default, we will try to connect to the remote SFTP server using the new key we have generated from above.

If connection is successful, key authentication is now configured for all SSH, SFTP, and SCP connections from the Windows account you are logged in with, to the specified host, using the specified host account. This includes both Windows-based clients and command line clients.

If a banner requiring user interaction is normally displayed when you connect to the host, on the General tab, change the Logging Level to Quiet. This step is not necessary if you do not have a login banner, or if you are using the command line client, as no user interaction is required in those scenarios.

Note: If public key upload was successful but public key authentication fails, it is possible that the remote SFTP server stores the user’s keys in a none default location. Please contact the remote administrator and have the key relocated to the correct folder.

Step 2: Create a Batch File with Connection Commands

Create a Windows batch (.bat) file that contains the connection commands appropriate for your task. For a complete list of SFTP, SCP, and SSH, syntax and commands, open a Windows command prompt and enter <command> -? , where command is SFTP, SCP, or SSH.

Batch file examples:

"C:\Program Files\Attachmate\RSecure\sftp.exe" -B "C:\path\batch_file.txt" user@host

"C:\Program Files\Attachmate\RSecure\scp.exe" user@host:file "C:\path\file"

cmd /c ""C:\Program Files\Attachmate\RSecure\ssh.exe" user@host ls > "C:\path\file.txt""

Before proceeding, run each batch file manually to ensure it works correctly.

If the batch file is not working, you can collect error and debug logging information for troubleshooting using syntax such as:

"C:\Program Files\Attachmate\RSecure\sftp.exe" -vvv -B "C:\path\batch_file.txt" user@host 1> "C:\path\debug.txt" 2> "C:\path\errors.txt"

Note the following:

  • If you prefer not to create a batch file for the required tasks, you can configure the task to run the appropriate product executable instead (sftp.exe, scp.exe, or ssh.exe). In this case, after creating the task in "Step 5: Configure Windows Schedules Tasks to Run the Batch Files," edit the task to include the appropriate command syntax, as shown in the examples in Step 2. (This customization is done in the Run field of the Task tab.)
  • If you need to run the batch file or executable with a Windows account other than the one configured for public key authentication, you can use the –k switch to point to the .ssh directory of the configured account, which contains the required keys and configuration file (named config).

Step 3: Assign "Log on as a Batch Job" Permissions

For tasks to be run by the Task Scheduler, Windows requires that the account running the task be logged on to Windows or have "Log on as a batch job" permissions. These permissions are automatically assigned:

  • To members of the Administrator’s group.
  • In Windows XP, if you are a member of the Users group and you create a scheduled task.

Note: When a task is created, these permissions are not automatically added for members of the User's group in Windows 7 or Windows Server 2008.

If the account you plan to use does not have "Log on as a batch job" permissions, follow the steps below to add these permissions to the account.

Warning: For security reasons, we recommend that you only grant these additional privileges to the required user or users.

  1. Login to the Windows system with an account that is part of the Administrator’s group.
  2. Click Start > Run; in the Open field, enter secpol.msc, and then click OK.
  3. Double-click Local Policies > User Rights Assignment.
  4. Double-click Log on as a batch job.
  1. Click Add User or Group, and add the user or group.
  2. Click OK to save the change and exit the properties window.

Step 4: Assign Account Permissions to the Reflection SSH Com Server

If a scheduled task is configured to run sftp.exe, scp.exe, or ssh.exe, and both of the following are true, the task will fail due to insufficient privileges:

  • The user account used to generate the public keys and to schedule the task does not belong to the Administrator's group, and
  • The user is currently logged out of Windows.

When this occurs, the Last Results column (Last Run Results in Windows 7 and Windows Server 2008) in Scheduled Tasks displays 0x57. This code indicates that additional privileges are required to run the Reflection SSH COM server (rssh.exe) when the user is not logged in to Windows.

The privileges required to run the executable are Local Launch and Local Activation. These permissions are automatically assigned to members of the Administrator's group. If the public key was generated by, and the scheduled task belongs to, a user who is part of the Administrative group, you can skip this section. Otherwise, follow the steps below to add these specific permissions to the user account used to generate the key and run the scheduled task.

Warning: For security reasons, we recommend that you only grant these additional privileges to the required user or users.

  1. Login to the Windows system with an account that is part of the Administrator’s group.
  2. Click Start > Run, in the Open field, enter dcomcnfg.exe, and then click OK.
  3. Double-click Component Services > Computers > My Computer and click DCOM Config.
  4. Scroll down to the object named {AA76F3C3-B544-4E32-B5CC-38F0B09CB5F}, right-click the object and click Properties. You are now in the properties of the SSH COM object.
View Full Size
Figure 1 - Access the Properties of the SSH COM Object
Figure 1 - Access the Properties of the SSH COM Object
  1. On the Security tab, in the Launch and Activation Permissions group, select Customize, and then click Edit.
  2. Click Add. Locate and add the required user(s) or group(s), and then click OK.
  3. In the "Group or user names field," select the user or group
  4. In the Allow column, select the Local Activation check box, and verify that Local Launch is already selected. (Local Launch should be selected by default.)
Figure 2 - Configure new user (Lilly) for Local Launch and Local Activation Permissions
Figure 2 - Configure new user (Lilly) for Local Launch and Local Activation Permissions

  1. If you are configuring multiple users or groups, repeat steps 6 through 8 for all users and groups.
  2. Click OK > OK and close the Component Services dialog box.

Step 5: Configure Windows Scheduled Tasks to Run the Batch Files

Follow these steps to automate the file transfer using Scheduled Tasks.

In Windows 7 or Windows Server 2008:

  1. From the Administrative Tools menu, select Task Scheduler.
  2. Click Action > Create Basic Task.
  3. When prompted, enter a name for the task, then click Next.
  4. Under Task Trigger, select "When do you want the task to start." Click Next and fill in the details.
  5. Under Action, select "Start a program," click Next, and then browse to and select the batch file you created in Step 2: Create a Batch File with Connection Commands. Click Open, and then click Next.
  6. Under Finish, select "Open the Properties dialog for this task when I click Finish."
  7. On the General tab of the Properties dialog box, under Security options verify that the user name shown under "When running the task, use the following user account" is the Windows account used to setup the public key authentication. If not, modify this setting.
  8. Select "Run whether user is logged on or not," and then click OK.

Note: If the Windows account that is used to run the task is a member of the Administrative group, under the General tab, select the option “Run with highest privileges.”

In Windows XP:

  1. From the Control Panel, select Scheduled Tasks.
  2. In the Scheduled Task Wizard, browse to and select the batch file you created in "Step 2: Create a Batch File with Connection Commands," and then click Open.
  3. When prompted, enter a name for the task, then set the frequency, start time and start date.
  4. Configure the task to run under the Windows account used to setup the public key authentication.
  5. Select "Open advanced properties for this task when I click Finish," and then click Finish.
  6. Make sure that "Run only if logged on" is not selected (the default) and click OK.

At this point you should see your new task listed in the Task Scheduler (or Scheduled Tasks) window.

Test the New Task

While still logged in to Windows, right-click the new task and select Run. If the task successfully runs, the Last Result field in the Scheduled Tasks window should show 0x0. (On Windows 7 and Windows Server 2008, this “Last Run Result” field also includes the statement "The operation completed successfully.") If you encounter problems, please refer to the following:

  • In Windows 7 and Windows Server 2008, in the Task Scheduler window, select the task, click the History tab, and see if there are any logged errors.
  • In Windows XP, in the Scheduled Tasks window, click Advanced > View Log, and see if there are any logged errors.

Additional Troubleshooting help.

Set the Final Schedule

Once you have verified that the task can be successfully run, make any additional configuration tweaks to the task schedule, and you are done. The automated SSH, SFTP, or SCP task should now run automatically.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2329.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.