As Kirk indicates, ssh requires host keys to be set up. These are the
instructions I created to set up keys for a system I worked on:
A. Generate keys on USS (z/OS) with: ssh-keygen -t rsa
{Hit enter to all prompts
The process will conclude with a footprint
The public key can be found in .ssh/id_rsa.pub}
i. on the z/OS USS system from where the job will be running
ii. using the ID under which the job is submitted.
B. The public key generated by A has to be placed in the
".ssh/authorized_keys" file for the ID to be used on the external side
C. Make an
i. initial connection (we did it with ssh, see below) from
ii. each USS instance using
iii. the ID under which the job is submitted to
iv. each external environment in which it needs to run, with
v. the id to be used on the external box
The initial connection usually required the systems security people to be
involved, and usually required an ssh connection with the StrictHostChecking
option set, e.g.:
ssh [...@]boxname [-o StrictHostkeyChecking=no] [< batchScriptFile]
with the square brackets having the standard meanings.
After that, we were able to run sftp from JCL with:
sftp [-b batchscriptfile][...@]boxname
> -----Original Message-----
> From: IBM Mainframe Discussion List
> [mailto:[email protected]] On Behalf Of Kirk Wolf
> Sent: Wednesday, July 15, 2009 6:04 PM
> To: [email protected]
> Subject: Re: z/OS Mainframe - SFTP - Disable Publickey
> Authentication and only use Password?
>
> ssh (used by sftp) won't work unless *host* keys are
> exchanged when the session is setup. The client has a little
> database of known host keys and will fail if the server has a
> different key. A configuration option allows the OpenSSH
> client to accept a new host key automatically, otherwise a
> interactive user is required to acknowledge acceptance.
>
> User authentication can be done in a number of ways,
> including keys and password. The password is *never* sent in
> the clear.
>
> Kirk Wolf
> Dovetailed Technologies
> http://dovetail.com
>
> > On Wed, 15 Jul 2009 09:52:17 -0400, Leonard Sasso wrote:
> >
> >>I have a Mainframe Batch Job executing the BPXBATCH program
> to invoke
> > SFTP
> >>to transfer a file to an external site.
> >>
> >>The external site does not require any Authentication.
> >>
> >>How do I Disable the Publickey Authentication and only use
> the Password?
> >>
> >>Below are the Execution JCL, Configuration file and Job Output.
> >>
> > (rest of message deleted)
> >
> > Whoever wrote the JCL seems to think that the batchfile
> indicated by
> > the "-b"
> > option of sftp can contain a userid and password, but it
> can't. I am
> > puzzled by your statement that the external site doesn't
> require any
> > authentication.
> > Maybe someone at the external site can tell you what that means.
> >
> > Bill
> >
> >
> ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access
> instructions, send
> > email to [email protected] with the message: GET IBM-MAIN INFO
> > Search the archives at http://bama.ua.edu/archives/ibm-main.html
> >
> >
> >
> ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access
> instructions, send
> > email to [email protected] with the message: GET IBM-MAIN INFO
> > Search the archives at http://bama.ua.edu/archives/ibm-main.html
> > NOTICE: This electronic mail message and any files
> transmitted with it
> > are intended exclusively for the individual or entity to
> which it is
> > addressed. The message, together with any attachment, may
> contain confidential and/or privileged information.
> > Any unauthorized review, use, printing, saving, copying,
> disclosure or
> > distribution is strictly prohibited. If you have received
> this message
> > in error, please immediately advise the sender by reply
> email and delete all copies.
> >
> >
> ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access
> instructions, send
> > email to [email protected] with the message: GET IBM-MAIN INFO
> > Search the archives at http://bama.ua.edu/archives/ibm-main.html
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access
> instructions, send email to [email protected] with the
> message: GET IBM-MAIN INFO Search the archives at
> http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
