Kirk is correct. The instructions were designed to step someone through the process of creating both the user keys and getting both them and the (already established) host keys set up in the proper locations on both systems to allow jobs containing non-interactive sftp sessions to transfer data between the systems.
Charles T. Lester Lester & Associates Consulting Services, LLC P.O. Box 75060 Fort Thomas, KY 41075-0060 859-838-4294 Lesterandassociates =at= fuse =dot= net > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[email protected]] On Behalf Of Kirk Wolf > Sent: Tuesday, July 21, 2009 9:55 AM > To: [email protected] > Subject: Re: z/OS Mainframe - SFTP - Disable Publickey > Authentication and only use Password? > > Charles, > > You are correct, but your instructions (to me) confuse the > two different types of SSH keypairs: > > A) host keys - these are required, and use the keypair setup > by the systems administrator that are pointed to by > sshd_config (on the remote server). > When a user connects to a host, the remote host's public key > must already be in the "known_hosts" file. If not, the user > is prompted to add it, unless "StrictHostkeyChecking=no" in > which case it will be added if it doesn't already exist. > > So, host keys can be setup in one of four ways: > 1) manually adding the remote host's public key to the > /etc/ssh/known_hosts file so that it works for all local clients > 2) manually adding the remote host's public key to (each) > local userid's ~/.ssh/known_hosts file > 3) logging in interactively once using each local userid and > accepting the host key (which writes it to ~/.ssh/known_hosts) > 4) using "StrictHostkeyChecking=no" so that the host key is > automatically added to ~/.ssh/known_hosts the first time > > > B) user keys - these can be used an an alternative to > passwords, and your steps A and B show how to set these up. > > > Kirk Wolf > Dovetailed Technologies > http://dovetail.com > > > > On Mon, Jul 20, 2009 at 10:34 PM, Charles T. Lester < > [email protected]> wrote: > > > As Kirk indicates, ssh requires host keys to be set up. > These are the > > instructions I created to set up keys for a system I worked on: > > > > A. Generate keys on USS (z/OS) with: ssh-keygen -t rsa > > {Hit enter to all prompts > > The process will conclude with a footprint > > The public key can be found in .ssh/id_rsa.pub} > > i. on the z/OS USS system from where the job will be running > > ii. using the ID under which the job is submitted. > > > > B. The public key generated by A has to be placed in the > > ".ssh/authorized_keys" file for the ID to be used on the > external side > > > > C. Make an > > i. initial connection (we did it with ssh, see below) from > > ii. each USS instance using > > iii. the ID under which the job is submitted to > > iv. each external environment in which it needs to run, with > > v. the id to be used on the external box > > > > The initial connection usually required the systems > security people to > > be involved, and usually required an ssh connection with the > > StrictHostChecking option set, e.g.: > > > > ssh [...@]boxname [-o StrictHostkeyChecking=no] [< batchScriptFile] > > > > with the square brackets having the standard meanings. > > > > After that, we were able to run sftp from JCL with: > > > > sftp [-b batchscriptfile][...@]boxname > > > > > > > > > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List > > > [mailto:[email protected]] On Behalf Of Kirk Wolf > > > Sent: Wednesday, July 15, 2009 6:04 PM > > > To: [email protected] > > > Subject: Re: z/OS Mainframe - SFTP - Disable Publickey > > > Authentication and only use Password? > > > > > > ssh (used by sftp) won't work unless *host* keys are > exchanged when > > > the session is setup. The client has a little database of known > > > host keys and will fail if the server has a different key. A > > > configuration option allows the OpenSSH client to accept > a new host > > > key automatically, otherwise a interactive user is required to > > > acknowledge acceptance. > > > > > > User authentication can be done in a number of ways, > including keys > > > and password. The password is *never* sent in the clear. > > > > > > Kirk Wolf > > > Dovetailed Technologies > > > http://dovetail.com > > > > > > > > > On Wed, 15 Jul 2009 09:52:17 -0400, Leonard Sasso wrote: > > > > > > > >>I have a Mainframe Batch Job executing the BPXBATCH program > > > to invoke > > > > SFTP > > > >>to transfer a file to an external site. > > > >> > > > >>The external site does not require any Authentication. > > > >> > > > >>How do I Disable the Publickey Authentication and only use > > > the Password? > > > >> > > > >>Below are the Execution JCL, Configuration file and Job Output. > > > >> > > > > (rest of message deleted) > > > > > > > > Whoever wrote the JCL seems to think that the batchfile > > > indicated by > > > > the "-b" > > > > option of sftp can contain a userid and password, but it > > > can't. I am > > > > puzzled by your statement that the external site doesn't > > > require any > > > > authentication. > > > > Maybe someone at the external site can tell you what that means. > > > > > > > > Bill > > > > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > > For IBM-MAIN subscribe / signoff / archive access > > > instructions, send > > > > email to [email protected] with the message: GET > IBM-MAIN INFO > > > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > > For IBM-MAIN subscribe / signoff / archive access > > > instructions, send > > > > email to [email protected] with the message: GET > IBM-MAIN INFO > > > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > NOTICE: This electronic mail message and any files > > > transmitted with it > > > > are intended exclusively for the individual or entity to > > > which it is > > > > addressed. The message, together with any attachment, may > > > contain confidential and/or privileged information. > > > > Any unauthorized review, use, printing, saving, copying, > > > disclosure or > > > > distribution is strictly prohibited. If you have received > > > this message > > > > in error, please immediately advise the sender by reply > > > email and delete all copies. > > > > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > > For IBM-MAIN subscribe / signoff / archive access > > > instructions, send > > > > email to [email protected] with the message: GET > IBM-MAIN INFO > > > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > > > > > > -------------------------------------------------------------------- > > > -- For IBM-MAIN subscribe / signoff / archive access > instructions, > > > send email to [email protected] with the > > > message: GET IBM-MAIN INFO Search the archives at > > > http://bama.ua.edu/archives/ibm-main.html > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access > instructions, send > > email to [email protected] with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access > instructions, send email to [email protected] with the > message: GET IBM-MAIN INFO Search the archives at > http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
