On Wed, Feb 8, 2017 at 12:35 PM, saurabh khandelwal <
[email protected]> wrote:
> But is there any way to resolve this issue without any third party product.
>
When I do a batch transfer using sftp, I make sure that the SSH
certificate used on the z/OS side does not have a "passphrase". I think
that is why it is complaining about /dev/tty not existing. My JCL looks
like:
//PS001 EXEC PGM=BPXBATCH,REGION=0M,
// PARM='SH echo "quit" | sftp -v rsid@${LINUX}'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDIN DD PATH='/dev/null',
// PATHOPTS=(ORDONLY)
//STDENV DD *
/*
Of course, this can be a very bad security gap. I avoid this by having the
id on the remote side be "special purpose" so that it can't do much of
anything. That is, it has a unique GID all of its own.
>
> On Jan 31, 2017 3:33 PM, "Carlos Bodra - Pessoal" <[email protected]>
> wrote:
>
> > Check MDI product at luminex.com for fast and secure SFTP or FTP
> >
> > Carlos Bodra
> > IBM System Certified System z
> > São Paulo - Brazil
> >
> > -----Mensagem original-----
> > De: IBM Mainframe Discussion List [mailto:[email protected]] Em
> > nome de venkat kulkarni
> > Enviada em: domingo, 29 de janeiro de 2017 14:38
> > Para: [email protected]
> > Assunto: SFTP on z/OS
> >
> > Hello Group,
> >
> >
> >
> > We tested SFTP on our test z/OS system to Test AIX box and we are able to
> > transfer data between these host. But now, I am trying in production
> system
> > with below detail.
> >
> >
> >
> > 1) Our aim is to convert all our FTP jobs into SFTP.
> >
> > 2) We are using $universe as scheduler for submitting these FTP jobs on
> > time to time.
> >
> > 3) We using user called "STCSYS" all these jobs.
> >
> > 4) But in FTP jobs, for every other host ( Ex AIX1, AIX2,AIX3 etc) we are
> > using different user id password to login to target host and then start
> FTP
> > process.
> >
> > 5) But in SFTP, it create TSO env using IKJEFT01 program and then run
> SFTP
> > commands to transfer files between systems.
> >
> >
> >
> > Example of SFTP Job, we using
> >
> >
> >
> >
> >
> > //SFTPSFT JOB (7330),MSGCLASS=X,MSGLEVEL=(1,1),CLASS=P,
> >
> > // NOTIFY=&SYSUID
> >
> > //STEP1 EXEC PGM=IKJEFT01,REGION=0M
> >
> > //SYSEXEC DD DISP=SHR,DSN=SYS1.SBPXEXEC
> >
> > //SYSTSIN DD DSN=SFTPSFT.TEST.JCL(FTPTST1),DISP=SHR
> >
> > //OUTPUT DD SYSOUT=*
> >
> > //SYSTSPRT DD SYSOUT=*
> >
> > /*
> >
> >
> >
> > EDIT SFTPSFT.TEST.JCL(FTPTST1) - 01.02
> >
> > Command ===>
> >
> > ****** ***************************** Top of Data ****
> >
> > 000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)' '/u/SFTPSFT/vp12'
> >
> > 000900 OSHELL { echo 'lcd /u/stcsys' ; +
> >
> > 001000 echo 'ascii'; +
> >
> > 001100 echo 'cd /home/ftp4rpt/'; +
> >
> > 001200 echo 'mput test.txt'; } | +
> >
> > 001300 sftp -v [email protected]
> >
> > 001400 /*
> >
> >
> >
> >
> >
> > So, now I have stcsys user id created on mainframe with all
> >
> >
> >
> > # cd .ssh
> >
> > # ls -al
> >
> > total 96
> >
> > drwx------ 2 MEAS OMVSGRP 8192 Jan 24 08:23 .
> >
> > drwxr-xr-x 3 MEAS OMVSGRP 8192 Jan 24 08:22 ..
> >
> > -rw------- 1 MEAS OMVSGRP 791 Jan 24 08:36 authorized_keys
> >
> > -rw------- 1 MEAS OMVSGRP 1675 Jan 24 08:23 id_rsa
> >
> > -rw-r--r-- 1 MEAS OMVSGRP 396 Jan 24 08:25 id_rsa.pub
> >
> > -rw-r--r-- 1 MEAS OMVSGRP 697 Jan 29 10:26 known_hosts
> >
> > # pwd
> >
> > /u/stcsys/.ssh
> >
> >
> >
> >
> > and in AIX1 side, I have ftprpt user defined and
> >
> >
> >
> > $ cd /home/ftprpt /.ssh
> >
> > $ ls -al
> >
> > total 48
> >
> > drwx------ 2 ftprpt staff 256 Jan 13 15:37 .
> >
> > drwxr-xr-x 3 ftprpt staff 4096 Jan 15 12:15 ..
> >
> > -rw-r--r-- 1 ftprpt staff 791 Jan 15 12:12
> authorized_keys
> >
> > -rw-r--r-- 1 ftprpt staff 395 Jan 13 15:37
> > authorized_keys.old
> >
> > -rw------- 1 ftprpt staff 1675 Dec 11 14:25 id_rsa
> >
> > -rw-r--r-- 1 ftprpt staff 394 Dec 11 14:25 id_rsa.pub
> >
> > -rw-r--r-- 1 ftprpt staff 352 Jan 15 10:31 known_hosts
> >
> > $
> >
> >
> >
> >
> >
> >
> >
> > and we exchanged rsa.pub key in authorized_keys file and exchanged
> > ECDSA.pub key in known_hosts file but while running Job, I am getting
> > below issue.
> >
> >
> >
> > OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
> >
> >
> > debug1: Reading configuration data /etc/ssh/ssh_config
> >
> >
> > debug1: Reading configuration data /etc/ssh/zos_ssh_config
> >
> >
> > debug1: zsshSmfSetConnSmfStatus: SMF status is 0
> >
> >
> > debug1: Connecting to 10.22.22.220 Ý10.22.22.220¨ port 22.
> >
> >
> > debug1: Connection established.
> >
> >
> > debug1: cipher_init: none from source OpenSSL
> >
> >
> > debug1: cipher_init: none from source OpenSSL
> >
> >
> > debug1: permanently_set_uid: 0/1000
> >
> >
> > debug1: identity file /u/stcsys/.ssh/id_rsa type 1
> >
> >
> > debug1: identity file /u/stcsys/.ssh/id_rsa-cert type -1
> >
> >
> > debug1: Enabling compatibility mode for protocol 2.0
> >
> >
> > debug1: Local version string SSH-2.0-OpenSSH_6.4
> >
> >
> > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
> >
> >
> > debug1: match: OpenSSH_6.0 pat OpenSSH*
> >
> >
> > FOTS1061 key_read: uudecode AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
> > lzdHAyNTYAAAB
> >
> > failed
> >
> >
> > debug1: SSH2_MSG_KEXINIT sent
> >
> >
> > debug1: SSH2_MSG_KEXINIT received
> >
> >
> > debug1: mac_setup_by_alg: hmac-sha1 from source OpenSSL
> >
> >
> > debug1: kex: server->client aes128-ctr hmac-sha1 none
> >
> >
> > debug1: mac_setup_by_alg: hmac-sha1 from source OpenSSL
> >
> >
> > debug1: kex: client->server aes128-ctr hmac-sha1 none
> >
> >
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
> >
> >
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> >
> >
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> >
> >
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> >
> >
> > debug1: Server host key: RSA ce:14:d1:2f:b2:d1:7c:83:12:9a:
> > 16:1e:31:9d:b6:b7
> >
> >
> > FOTS1061 key_read: uudecode AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
> > lzdHAyNTYAAAB
> >
> > failed
> >
> >
> > debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device.
> > (errno2=0
> >
> > FOTS1370 Host key verification failed.
> >
> >
> > debug1: zsshSmfSetConnSmfStatus: SMF status is 0
> >
> >
> > FOTS0841 Connection closed
> >
> >
> >
> >
> >
> > Can you please help, if I am not following correct way on this new setup
> > or I should be using same userid on both mainframe and aix side for
> > exchanging keys with password less.
> >
> >
> >
> > Thanks in advance.
> >
> >
> >
> > Thanks & Regards
> >
> > Venkat
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email
> > to [email protected] with the message: INFO IBM-MAIN
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to [email protected] with the message: INFO IBM-MAIN
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
--
Our calculus classes are an integral part of your education.
Maranatha! <><
John McKown
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
