Mary,
Another way of do this is to install PERL SFTP or SSH-Expect. SFTP for
PERL is more involve where
Expect is less involve. you can get those PERL PACKAGES from CPAN-
assume you can install this on z/OS USS.
Just google "cpan ssh expect" or "sftp" and you will see what I
mean.
#!/usr/bin/perl
use Net::SSH::Expect;
my $expt = Expect->spawn("sftp -b cmdFile [email protected]");
$expt->expect(3,"password:");
$expt->send("Password4\n");
$expt->interact;
Mary Elwood
<mary_elw...@navy
federal.org> To
Sent by: Linux
on 390 Port [email protected]
<[email protected] cc
IST.EDU>
12/23/2008
03:32 PM
Subject
SFTP Authentication Question
Please respond to
Linux on 390 Port
<[email protected]
IST.EDU>
I'm trying to change over from FTP to SFTP on Linux. I've created a userid
sftpzos on the linux guest. I've created a .ssh/authorized_key file in his
home directory and populated it with the public key from z/OS. On z/OS I
executed the ssh-keyscan and have placed the output in
the /etc/ssh/ssh_known_hosts file. I do not run SSHD on z/OS. Only the
linux guest runs SSHD.
I then submit a batch SFTP on z/OS to log in to the linux guest with userid
sftpzos.
Below is some of the job output
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: match line 49
debug1: Host '172.29.251.106' is known and matches the RSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:49
debug2: bits set: 506/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /u/oss08/sftp/id_dsa (1ce1e050)
debug2: key: /u/oss08/sftp/id_rsa (1ce1e1e0)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /u/oss08/sftp/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: /u/oss08/sftp/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
FOTS1373 Permission denied (publickey,keyboard-interactive).
FOTS0841 Connection closed
In /var/log/messages I see this
Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: fd 4 is not O_NONBLOCK
Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug1: Forked child 19717.
Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: send_rexec_state: entering fd
= 7 config len 557
Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: ssh_msg_send: type 0
Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: send_rexec_state: done
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: rexec start in 4 out 4
newsock 4 pipe 6 sock 7
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: inetd sockets after dupping:
3, 3
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: Connection from 172.29.249.10 port
2103
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Client protocol version 2.0;
client software version OpenSSH_3.8.1p1
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.*
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Enabling compatibility mode
for protocol 2.0
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Local version string
SSH-2.0-OpenSSH_4.1
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: fd 3 setting O_NONBLOCK
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: Network child is on pid 19718
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: preauth child monitor started
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 0
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_moduli: got
parameters: 1024 1024 8192
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 1
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 0 used once,
disabling now
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 4
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_sign
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_sign: signature
0x80070b80(143)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 5
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 4 used once,
disabling now
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 6
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_pwnamallow
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_pwnamallow: sending
MONITOR_ANS_PWNAM: 1
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 7
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 6 used once,
disabling now
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 45
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: initializing for
"sftpzos"
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: Trying to reverse map address
172.29.249.10.
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: setting PAM_RHOST to
"osa-test.nfcu.net"
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: setting PAM_TTY to "ssh"
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 45 used once,
disabling now
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 3
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_authserv:
service=ssh-connection, style=
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 3 used once,
disabling now
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 20
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed:
key_from_blob: 0x80080480
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key
file /root/.ssh/authorized_keys
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key
file /root/.ssh/authorized_keys
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed: key
0x80080480 is disallowed
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 21
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 20
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed:
key_from_blob: 0x8007f470
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key
file /root/.ssh/authorized_keys
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key
file /root/.ssh/authorized_keys
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: restore_uid: 0/0
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed: key
0x8007f470 is disallowed
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 21
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: do_cleanup
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: cleanup
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: PAM: sshpam_thread_cleanup
entering
Dec 23 14:53:56 OSA-LNX5 sshd[17273]: debug2: channel 0: rcvd adjust 1
Dec 23 14:53:57 OSA-LNX5 sshd[17273]: debug2: channel 0: rcvd adjust 19
Dec 23 14:53:58 OSA-LNX5 sshd[17273]: debug2: channel 0: rcvd adjust 2
Two things that have caught my attention. The first - why is it going
after /root/.ssh/authorized_keys when in the ssh_config file I have
expressly stated to use sftpzos. I did place an authorized key file
in /root/.ssh, but it didn't make any difference. I have the same problem.
The other item that caught my attention is PAM. I have a feeling PAM might
be my problem but Ii am not sure.
This is the PAM configuration file for SSHD
14:54:39 OSA-LNX5:/etc/pam.d #more sshd
#%PAM-1.0
auth required pam_unix2.so# set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account requiredpam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.souse_first_pass use_authtok
session required pam_unix2.sonone # trace or debug
session required pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session optionalpam_resmgr.so fake_ttyname
I think the password required is my problem.
I can't figure out how to use keys.
Any and all help is greatly appreciated. I've spent half my day in google
and the light bulb hasn't come on yet.
Thank you, in advance, for your help and especially your patience.
Mary Elwood
NFCU
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
</pre>
<P><hr size=1></P>
<P><STRONG>
Visit our website at <a href="http://www.nyse.com";>http://www.nyse.com</a> <br>
*****************************************************************************
<br>
Note: The information contained in this message and any attachment to it is
privileged, confidential and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified that
any dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify
the sender immediately by replying to the message, and please delete it from
your system. Thank you. NYSE Euronext, Inc.
</STRONG></P><pre>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
<<inline: graycol.gif>>
<<inline: pic10383.gif>>
<<inline: ecblank.gif>>
