topic Re: SFTP on VMS in Operating System - OpenVMS

SFTP on VMS

Hadi Bahreini — Fri, 20 Feb 2009 17:54:07 GMT

I’m trying to use SFTP with “-B” option in a command procedure to transfer files in & out of an OpenVMS (V7.3-2) machine. The TCPIP service is V5.4 – ECO7. This procedure gets SFTP inputs and will be used in batch or interactively by our clients with captive accounts.

I would appreciate if someone can help me to resolve the following issues:

1- I would like to hide SFTP outputs from user. It seems re-direction of output does not work properly with SFTP and because of captive accounts unfortunately I cannot use PIPE command as John Gillings suggested in this thread.

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1235149942672+28353475&threadId=1185836

2- After invoking SFTP I need to know the execution status in order to branch my procedure properly. Unfortunately SFTP terminate my procedure abnormally if it fails to connect or because of any other reason (i.e. incorrect input …). SFTP sets $STATUS properly when it is completed successfully.

Many thanks in advance,

Re: SFTP on VMS

Hoff — Fri, 20 Feb 2009 19:35:17 GMT

Welcome to the ITRC forums.

Some elaboration on why you can't use PIPE or why there are problems with sftp errors could be useful here; error messages, example DCL, or some other related details can go a long way toward a resolution. I'll take a few guesses in what follows, which can hopefully get you back on course with something close to one of the proposed solutions.

CAPTIVE means you've tried PIPE /TRUSTED, then? Generic SPAWN operations don't work from the CAPTIVE environments, but /TRUSTED operations can sometimes be useful.

As for the procedure termination, I tend to use one file at a time, and I use SET NOON or ON whatsit in most every DCL procedure.

I'd not tend to trust the return status values for these cases, but that's a general skepticism around the return status values from various tools.

Have a look at reversing the whole process and have the CAPTIVE username send a carefully-crafted message over to a remote (and more trusted) process, and have that deal with the transfer.

I'd like to see a COPY /SFTP added, being a massive fan of COPY /FTP myself.

Re: SFTP on VMS

Hadi Bahreini — Mon, 23 Feb 2009 20:35:16 GMT

Thanks a lot Hoff for your quick response. I had tried PIPE/TRUSTED in my COM file before and since I was getting "SPAWN not allowed" message I had this wrong impression that the error is caused by PIPE sub-process. Using your guide I tried SFTP directly and I got the same error. It seems sub-process is created by SFTP itself, VMS accounting also shows that. Does this mean SFTP and Captive accounts are incompatible?

It seems I have a bigger problem now and have to correct my question to: How I can initiate a secure file transfer from a VMS captive account to the outside world?

$sftp -v user@server
Sftp2/SFTP2.C:4804: CRTL version (SYS$SHARE:DECC$SHARE ident) is: V7.3-2-03

SshFileCopy/SSHFILECOPY.C:1062: Making local connection.
Ssh2SftpServer/SSHFILEXFERS.C:2079: Received SSH_FXP_INIT
Ssh2SftpServer/SSHFILEXFERS.C:2124: version is 3
SshFileCopy/SSHFILECOPY.C:1001: Connection to local, ready to serve requests.
Sftp2/SFTP2.C:786: Connection ready.
SshReadLine/SSHREADLINE.C:3662: Initializing ReadLine...
SshFileCopy/SSHFILECOPY.C:1072: Connecting to remote host. (host = user@server, user = NULL, port = NULL)
argv[0] = /sys$system/tcpip$ssh_ssh2
argv[1] = -v
argv[2] = -x
argv[3] = -a
argv[4] = -o
argv[5] = passwordprompt %U@%H's password:
argv[6] = -o
argv[7] = authenticationnotify yes
argv[8] = user@server
argv[9] = -s
argv[10] = sftp
Executing ssh2 failed. Command:' /sys$system/tcpip$ssh_ssh2 -v -x -a -o passwordprompt %U@%H's password: -o authenticationnotify yes user@server -s sftp' System error message: 'captive account - spawn command not allowed'

Re: SFTP on VMS

Hoff — Mon, 23 Feb 2009 20:54:09 GMT

Whomever ported sftp omitted the use of the trusted flag; if sftp does need the spawn to operate (and it looks like it), then the port is incompatible with CAPTIVE. (They probably used a system() call.)

You'll probably find it easiest to work around this by passing the filename or such to a (trusted) server process (local or remote) and have that perform the operation.

I don't know if the sftp source code is around.

If you have a support contract, go log a trouble report with HP; this particular package could handle its security better.

Re: SFTP on VMS

marsh_1 — Mon, 23 Feb 2009 22:05:18 GMT

hi,

have you tried using scp to do this ?

Re: SFTP on VMS

Richard Whalen — Mon, 23 Feb 2009 22:30:11 GMT

SFTP and SCP both need to be able to spawn a subprocess in order to operate. The subprocess is used to run SSH, which does the authentication and encryption. SFTP/SCP then pass SFTP protocol commands across the secure connection created by SSH to a process on the remote system that is running the SFTP server. (Yes, the server needs to be able to create a subprocess as well.)

Re: SFTP on VMS

Hoff — Tue, 24 Feb 2009 04:03:23 GMT

sftp and scp both use ssh. Given the way that applications stacked on ssh typically operate, I'd expect anything that arrives on the host using ssh has the same basic issue with the trusted flag.