you need to place the Z/OS public_rsa key into the authorized key file on the Linux guest and make sure that the SSHD is configured to allow authorization via public key. I don't believe you can provide password in a batch job, but you could try it interactive and see if that is the problem
[email protected] Sent by: [email protected] 12/23/2008 12:32 PM Please respond to [email protected] To [email protected] cc Subject SFTP Authentication Question I'm trying to change over from FTP to SFTP on Linux. I've created a userid sftpzos on the linux guest. I've created a .ssh/authorized_key file in his home directory and populated it with the public key from z/OS. On z/OS I executed the ssh-keyscan and have placed the output in the /etc/ssh/ssh_known_hosts file. I do not run SSHD on z/OS. Only the linux guest runs SSHD. I then submit a batch SFTP on z/OS to log in to the linux guest with userid sftpzos. Below is some of the job output debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts debug3: check_host_in_hostfile: match line 49 debug1: Host '172.29.251.106' is known and matches the RSA host key. debug1: Found key in /etc/ssh/ssh_known_hosts:49 debug2: bits set: 506/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /u/oss08/sftp/id_dsa (1ce1e050) debug2: key: /u/oss08/sftp/id_rsa (1ce1e1e0) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /u/oss08/sftp/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Offering public key: /u/oss08/sftp/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. FOTS1373 Permission denied (publickey,keyboard-interactive). FOTS0841 Connection closed In /var/log/messages I see this Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: fd 4 is not O_NONBLOCK Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug1: Forked child 19717. Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: send_rexec_state: entering fd = 7 config len 557 Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: ssh_msg_send: type 0 Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: send_rexec_state: done Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: inetd sockets after dupping: 3, 3 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: Connection from 172.29.249.10 port 2103 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.* Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Enabling compatibility mode for protocol 2.0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Local version string SSH-2.0-OpenSSH_4.1 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: fd 3 setting O_NONBLOCK Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: Network child is on pid 19718 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: preauth child monitor started Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering: type 1 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 0 used once, disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 4 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_sign Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_sign: signature 0x80070b80(143) Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering: type 5 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 4 used once, disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 6 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_pwnamallow Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering: type 7 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 6 used once, disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 45 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: initializing for "sftpzos" Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: Trying to reverse map address 172.29.249.10. Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: setting PAM_RHOST to "osa-test.nfcu.net" Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: setting PAM_TTY to "ssh" Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 45 used once, disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 3 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_authserv: service=ssh-connection, style= Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 3 used once, disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 20 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed: key_from_blob: 0x80080480 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100 (e=0/0) Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file /root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100 (e=0/0) Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file /root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed: key 0x80080480 is disallowed Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering: type 21 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 20 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed: key_from_blob: 0x8007f470 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100 (e=0/0) Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file /root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100 (e=0/0) Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file /root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed: key 0x8007f470 is disallowed Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering: type 21 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: do_cleanup Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: cleanup Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: PAM: sshpam_thread_cleanup entering Dec 23 14:53:56 OSA-LNX5 sshd[17273]: debug2: channel 0: rcvd adjust 1 Dec 23 14:53:57 OSA-LNX5 sshd[17273]: debug2: channel 0: rcvd adjust 19 Dec 23 14:53:58 OSA-LNX5 sshd[17273]: debug2: channel 0: rcvd adjust 2 Two things that have caught my attention. The first - why is it going after /root/.ssh/authorized_keys when in the ssh_config file I have expressly stated to use sftpzos. I did place an authorized key file in /root/.ssh, but it didn't make any difference. I have the same problem. The other item that caught my attention is PAM. I have a feeling PAM might be my problem but Ii am not sure. This is the PAM configuration file for SSHD 14:54:39 OSA-LNX5:/etc/pam.d #more sshd #%PAM-1.0 auth required pam_unix2.so# set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account requiredpam_nologin.so password required pam_pwcheck.so password required pam_unix2.souse_first_pass use_authtok session required pam_unix2.sonone # trace or debug session required pam_limits.so # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optionalpam_resmgr.so fake_ttyname I think the password required is my problem. I can't figure out how to use keys. Any and all help is greatly appreciated. I've spent half my day in google and the light bulb hasn't come on yet. Thank you, in advance, for your help and especially your patience. Mary Elwood NFCU ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 If you are not the intended addressee, please inform us immediately that you have received this e-mail in error, and delete it. We thank you for your cooperation. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
