Charles, You are correct, but your instructions (to me) confuse the two different types of SSH keypairs:
A) host keys - these are required, and use the keypair setup by the systems administrator that are pointed to by sshd_config (on the remote server). When a user connects to a host, the remote host's public key must already be in the "known_hosts" file. If not, the user is prompted to add it, unless "StrictHostkeyChecking=no" in which case it will be added if it doesn't already exist. So, host keys can be setup in one of four ways: 1) manually adding the remote host's public key to the /etc/ssh/known_hosts file so that it works for all local clients 2) manually adding the remote host's public key to (each) local userid's ~/.ssh/known_hosts file 3) logging in interactively once using each local userid and accepting the host key (which writes it to ~/.ssh/known_hosts) 4) using "StrictHostkeyChecking=no" so that the host key is automatically added to ~/.ssh/known_hosts the first time B) user keys - these can be used an an alternative to passwords, and your steps A and B show how to set these up. Kirk Wolf Dovetailed Technologies http://dovetail.com On Mon, Jul 20, 2009 at 10:34 PM, Charles T. Lester < [email protected]> wrote: > As Kirk indicates, ssh requires host keys to be set up. These are the > instructions I created to set up keys for a system I worked on: > > A. Generate keys on USS (z/OS) with: ssh-keygen -t rsa > {Hit enter to all prompts > The process will conclude with a footprint > The public key can be found in .ssh/id_rsa.pub} > i. on the z/OS USS system from where the job will be running > ii. using the ID under which the job is submitted. > > B. The public key generated by A has to be placed in the > ".ssh/authorized_keys" file for the ID to be used on the external side > > C. Make an > i. initial connection (we did it with ssh, see below) from > ii. each USS instance using > iii. the ID under which the job is submitted to > iv. each external environment in which it needs to run, with > v. the id to be used on the external box > > The initial connection usually required the systems security people to be > involved, and usually required an ssh connection with the > StrictHostChecking > option set, e.g.: > > ssh [...@]boxname [-o StrictHostkeyChecking=no] [< batchScriptFile] > > with the square brackets having the standard meanings. > > After that, we were able to run sftp from JCL with: > > sftp [-b batchscriptfile][...@]boxname > > > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:[email protected]] On Behalf Of Kirk Wolf > > Sent: Wednesday, July 15, 2009 6:04 PM > > To: [email protected] > > Subject: Re: z/OS Mainframe - SFTP - Disable Publickey > > Authentication and only use Password? > > > > ssh (used by sftp) won't work unless *host* keys are > > exchanged when the session is setup. The client has a little > > database of known host keys and will fail if the server has a > > different key. A configuration option allows the OpenSSH > > client to accept a new host key automatically, otherwise a > > interactive user is required to acknowledge acceptance. > > > > User authentication can be done in a number of ways, > > including keys and password. The password is *never* sent in > > the clear. > > > > Kirk Wolf > > Dovetailed Technologies > > http://dovetail.com > > > > > > On Wed, 15 Jul 2009 09:52:17 -0400, Leonard Sasso wrote: > > > > > >>I have a Mainframe Batch Job executing the BPXBATCH program > > to invoke > > > SFTP > > >>to transfer a file to an external site. > > >> > > >>The external site does not require any Authentication. > > >> > > >>How do I Disable the Publickey Authentication and only use > > the Password? > > >> > > >>Below are the Execution JCL, Configuration file and Job Output. > > >> > > > (rest of message deleted) > > > > > > Whoever wrote the JCL seems to think that the batchfile > > indicated by > > > the "-b" > > > option of sftp can contain a userid and password, but it > > can't. I am > > > puzzled by your statement that the external site doesn't > > require any > > > authentication. > > > Maybe someone at the external site can tell you what that means. > > > > > > Bill > > > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access > > instructions, send > > > email to [email protected] with the message: GET IBM-MAIN INFO > > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access > > instructions, send > > > email to [email protected] with the message: GET IBM-MAIN INFO > > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > NOTICE: This electronic mail message and any files > > transmitted with it > > > are intended exclusively for the individual or entity to > > which it is > > > addressed. The message, together with any attachment, may > > contain confidential and/or privileged information. > > > Any unauthorized review, use, printing, saving, copying, > > disclosure or > > > distribution is strictly prohibited. If you have received > > this message > > > in error, please immediately advise the sender by reply > > email and delete all copies. > > > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access > > instructions, send > > > email to [email protected] with the message: GET IBM-MAIN INFO > > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access > > instructions, send email to [email protected] with the > > message: GET IBM-MAIN INFO Search the archives at > > http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
