Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Automating SSH, SFTP, and SCP With Windows Scheduled Tasks
Technical Note 2329
Last Reviewed 18-Jul-2008
Applies To
Reflection for Secure IT Windows Client version 6.0 or higher
Reflection for UNIX and OpenVMS version 12.0 or higher
Reflection for HP version 12.0 or higher
Summary

This technical note describes how to automate SSH, SFTP, and SCP connections using the Windows Scheduled Tasks utility and the command line tools included with Reflection for Secure IT and Reflection for UNIX and OpenVMS and Reflection for HP Windows clients.

Automating SSH, SFTP, and SCP

Automating SSH, SFTP, and SCP connections using the Windows Scheduled Tasks utility and the command line requires the following steps:

Step 1: Configure Public Key Authentication with a Blank Passphrase
Step 2: Create a Batch File with Connection Commands
Step 3: Assign "Log on as a Batch Job" Permissions
Step 4: Assign Account Permissions to the Reflection SSH Com Server
Step 5: Configure Windows Scheduled Tasks to Run the Batch Files

Note: If the Windows account that is used to run the task is a member of the Administrative group, skip both Step 3 and Step 4. There is no need to add privileges to the Administrative account. However, if your company security policy prohibits running a task with an account that is part of the Administrator's group, follow Step 3 and Step 4 to amend the account permissions.

Step 1: Configure Public Key Authentication with a Blank Passphrase

  1. Login to Windows using the account that will be used for automating the host connections. It is important to use the same account, as required files will be created for and owned by the account logged in during the setup.
  2. Launch Reflection for Secure IT, Reflection for UNIX and OpenVMS, or Reflection for HP.
  3. Click on Connection > Connection Setup.
  4. In Reflection for UNIX and OpenVMS and Reflection for HP, select Network and SECURE SHELL. These options are automatically selected if you are running Reflection for Secure IT.
  5. In the Host name field, enter the name of the host you will be connecting to.
  6. In the User name field, enter the user name that should be used for the automated transfers.
  7. Click Security.
  8. On the User Keys tab, select the key type and length required to satisfy your corporate security policy, and then click Generate Key.
  9. Select the No passphrase check box, and then click Create. The new private key appears in the User Keys list.
  10. Verify that the new key is selected (a check mark is displayed in the Use column).
  11. Click Upload, and follow the prompts to upload the public key to the remote host. You will most likely be prompted for a password during this process.
  12. Once the upload process has completed, click OK.

Key authentication is now configured for all Reflection SSH, SFTP, and SCP connections from the Windows account you are logged in with, to the specified host, using the specified host account. This includes both Windows-based clients and command line clients.

  1. If a banner requiring user interaction is normally displayed when you connect to the host, on the General tab, change the Logging Level to Quiet. This step is not necessary if you do not have a login banner, or if you are using the command line client, as no user interaction is required in those scenarios.
  2. Click OK.
  3. Click Connect to test the connection.

Step 2: Create a Batch File with Connection Commands

Create a Windows batch file that contains the connection commands appropriate for your task. For a complete list of SFTP, SCP, and SSH, syntax and commands, open a Windows command prompt and enter <command> -? , where command is SFTP, SCP, or SSH.

Batch file examples:

"C:\Program Files\Attachmate\RSecure\sftp.exe" -B "C:\path\batch_file.txt" user@host

"C:\Program Files\Attachmate\RSecure\scp.exe" user@host:file "C:\path\file"

cmd /c ""C:\Program Files\Attachmate\RSecure\ssh.exe" user@host ls > "C:\path\file.txt""

Before proceeding, run each batch file manually to ensure it works correctly.

If the batch file is not working, you can collect error and debug logging information for troubleshooting using syntax such as:

"C:\Program Files\Attachmate\RSecure\sftp.exe" -vvv -B “C:\path\batch_file.txt” user@host 1> “C:\path\debug.txt” 2> “C:\path\errors.txt”

Note the following:

  • If you prefer not to create a batch file for the required tasks, you can configure the task to run the appropriate product executable instead (sftp.exe, scp.exe, or ssh.exe). In this case, after creating the task in "Step 5: Configure Windows Schedules Tasks to Run the Batch Files," edit the task to include the appropriate command syntax, as shown in the examples in Step 2. (This customization is done in the Run field of the Task tab.)
  • If you need to run the batch file or executable with a Windows account other than the one configured for public key authentication, you can use the –k switch to point to the .ssh directory of the configured account, which contains the required keys and configuration file (named config).

Step 3: Assign "Log on as a Batch Job" Permissions

For tasks to be run by the Task Scheduler, Windows requires that the account running the task be logged on to Windows or have "Log on as a batch job" permissions. These permissions are automatically assigned:

  • To members of the Administrator’s group.
  • In Windows XP, if you are a member of the Users group and you create a scheduled task.

Note: When a task is created, these permissions are not automatically added for members of the User's group in Windows Vista.

If the account you plan to use does not have "Log on as a batch job" permissions, follow the steps below to add these permissions to the account.

Warning: For security reasons, we recommend that you only grant these additional privileges to the required user or users.

  1. Login to the Windows system with an account that is part of the Administrator’s group.
  2. Click Start > Run, in the Open field, enter secpol.msc, and then click OK.
  3. Double-click Local Policies > User Rights Assignment.
  4. Double-click Log on as a batch job.
View Full Size
2329_10.gif
  1. Click Add User or Group, and add the user or group.
  2. Click OK to save the change and exit the properties window.

Step 4: Assign Account Permissions to the Reflection SSH Com Server

If a scheduled task is configured to run sftp.exe, scp.exe, or ssh.exe, and both of the following are true, the task will fail due to insufficient privileges:

  • The user account used to generate the public keys and to schedule the task does not belong to the Administrator's group, and
  • The user is currently logged out of Windows.

When this occurs, the Last Results column (Last Run Results in Vista) in Scheduled Tasks displays 0x57. This code indicates that additional privileges are required to run the Reflection SSH COM server (rssh.exe) when the user is not logged in to Windows.

The privileges required to run the executable are Local Launch and Local Activation. These permissions are automatically assigned to members of the Administrator's group. If the public key was generated by, and the scheduled task belongs to, a user who is part of the Administrative group, you can skip this section. Otherwise, follow the steps below to add these specific permissions to the user account used to generate the key and run the scheduled task.

Warning: For security reasons, we recommend that you only grant these additional privileges to the required user or users.

  1. Login to the Windows system with an account that is part of the Administrator’s group.
  2. Click Start > Run, in the Open field, enter dcomcnfg.exe, and then click OK.
  3. Double-click Component Services > Computers > My Computer and click DCOM Config.
  4. Scroll down to the object named {AA76F3C3-B544-4E32-B5CC-38F0B09CB5F}, right-click the object and click Properties. You are now in the properties of the SSH COM object.
View Full Size
Figure 1 - Access the Properties of the SSH COM Object Figure 1 - Access the Properties of the SSH COM Object
  1. On the Security tab, in the Launch and Activation Permissions group, select Customize, and then click Edit.
  2. Click Add. Locate and add the required user(s) or group(s), and then click OK.
  3. In the "Group or user names field," select the user or group
  4. In the Allow column, select the Local Activation check box, and verify that Local Launch is already selected. (Local Launch should be selected by default.)
Figure 2 - Configure new user (Lilly) for Local Launch and Local Activation Permissions Figure 2 - Configure new user (Lilly) for Local Launch and Local Activation Permissions
  1. If you are configuring multiple users or groups, repeat steps 6 through 8 for all users and groups.
  2. Click OK > OK and close the Component Services dialog box.

Step 5: Configure Windows Scheduled Tasks to Run the Batch Files

Follow these steps to automate the file transfer using Scheduled Tasks.

In Windows Vista:

  1. From the Administrative Tools menu, select Task Scheduler.
  2. Click Action > Create Basic Task.
  3. When prompted, enter a name for the task, then set the frequency, start time and start date.
  4. Under Action, select Start a program, click Next, then browse to and select the batch file you created in "Step 2: Create a Batch File with Connection Commands."
  5. Under Finish, select "Open the Properties dialog for this task when I click Finish."
  6. On the General tab of the Properties dialog box, under Security options verify that the user name shown under "When running the task, use the following user account" is the Windows account used to setup the public key authentication. If not, modify this setting.
  7. Select "Run whether user is logged on or not," and then click OK.

Note: At this point, the following message is displayed if the account does not have "Log on as a batch job" permissions. If you see this message, return to Step 3: Assign "Log on as a Batch Job" Permissions.

Error: "This task requires that the user account specified has Log on as batch job rights. For more information about setting this policy, see the Task Security Context topic on Help."

In Windows XP:

  1. From the Control Panel, select Scheduled Tasks.
  2. In the Scheduled Task Wizard, browse to and select the batch file you created in "Step 2: Create a Batch File with Connection Commands," and then click Open.
  3. When prompted, enter a name for the task, then set the frequency, start time and start date.
  4. Configure the task to run under the Windows account used to setup the public key authentication.
  5. Select "Open advanced properties for this task when I click Finish," and then click Finish.
  6. Make sure that "Run only if logged on" is not selected (the default) and click OK.

At this point you should see your new task listed in the Task Scheduler (or Scheduled Tasks) window.

Test the New Task

While still logged in to Windows, right-click the new task and select Run. If the task successfully runs, the Last Result field in the Scheduled Tasks window should show 0x0. (On Vista, this field also includes the statement "The operation completed successfully."). If you encounter problems, please refer to the following:

  • In Windows Vista, in the Task Scheduler window, select the task, click the History tab, and see if there are any logged errors.
  • In Windows XP, in the Scheduled Tasks window, click Advanced > View Log, and see if there are any logged errors.
  • See Microsoft documentation at http://support.microsoft.com/kb/308558.

Set the final schedule

Once you have verified that the task can be successfully run, make any additional configuration tweaks to the task schedule, and you are done. The automated SSH, SFTP, or SCP task should now run automatically.

Related Technical Notes
2300 Reflection for Secure IT Windows Client Startup Switches

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.