HPE Community
Operating System - OpenVMS
1753520 Members
4704 Online
108795 Solutions
New Discussion юеВ

Re: SFTP Difficulty from IBM to OpenVMS

 
Rene Rodrigue
Occasional Advisor

тАО07-02-2010 10:43 AM

тАО07-02-2010 10:43 AM

SFTP Difficulty from IBM to OpenVMS

We are trying to setup an SFTP connection from an IBM (client) to and OpenVMS Alpha running 8.3 / TCPIP v5.6. We are attempting to utilize public-key authentication. I have gotten public-key authentication to work between OpenVMS systems and between and OpenVMS and Solaris. I have placed the public key from the IBM side into the proper directory, i.e. [username.ssh2] and have also created and populated the AUTHORIZATION. file. The IBM is at another agency and I do not have control over it. I logged into the OpenVMS account manually and verified all was well. I could SFTP into the account using password authentication. I have modified the sshd2_config file to allow publickey although it claims to do this as the default.

I believe it is having difficulty with the naming of the key on the OpenVMS machine. Below is one of the opcom messages that comes up:
%%%%%%%%%%% OPCOM 2-JUL-2010 14:10:30.31 %%%%%%%%%%%
Message from user AUDIT$SERVER on XXXYYY
Security alarm (SECURITY) and security audit (SECURITY) on XXXYYY, system id: 51210
Auditable event: Network login failure
Event time: 2-JUL-2010 14:10:30.30
PID: 0000143B
Process name: TCPIP$S_BG27717
Username: TCPIP$SSH
Remote node fullname: SSH_PUBLICKEY:IBMHOST.HSMV.STATE.FL.US
Remote username: AAA_TEST(LOCAL)
Status: %LOGIN-F-NOTVALID, user authorization failure

We populated the AUTHORIZATION. file with an entry of:

KEY AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB. The logfile in sys$sysdevice:[tcpip$ssh] indicates that the key was converted to stream lf, prints out no other authentication methods available and closes. Any help would be greatly appreciated.

Sincerely

Rene
0 Kudos
Reply
8 REPLIES 8
Steven Schweda
Honored Contributor

тАО07-02-2010 09:29 PM

тАО07-02-2010 09:29 PM

Re: SFTP Difficulty from IBM to OpenVMS

> [...] IBM [...]

That covers a lot of ground. AIX? z/OS?
MVS? ???

> [...] I have placed the public key from the
> IBM side [...]

Is that an OpenSSH-format (incompatible) key
or an SSH2-format (compatible) key? I can't
see it from here.

> We populated the AUTHORIZATION. file with
> an entry of:
>
> KEY AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB.

Not including the last "."? Is there such a
file? (What's in it?)

> The logfile in sys$sysdevice:[tcpip$ssh]
> indicates that the key was converted to
> stream lf, [...]

Probably safer/faster if you do that once and
for all time.

> [...] prints out no other authentication
> methods available and closes.

An actual (copy+paste) transcript might be
more satisfying (and informative). Your
summary and interpretation do not make a good
substitute for the actual data.

Debug output from the client might help.
Adding "-v[v[v]]" to the "ssh"/"sftp"
command works in many places. "ssh -V" (or
"sftp -V") can be interesting, too.

> I believe it is having difficulty with the
> naming of the key on the OpenVMS machine.

Why? Knowing nothing about your key data, my
first guess would be "wrong format", but I'm
always open to actual evidence.
0 Kudos
Reply
Khee Chan
Advisor

тАО07-03-2010 12:04 AM

тАО07-03-2010 12:04 AM

Re: SFTP Difficulty from IBM to OpenVMS

If you are running an OpenSSH based port on the IBM side it is likely that the format of your public key file is incorrect. The public key file on the OpenVMS side needs to be in IETF format (RFC4716). The first 2 lines of an example IETF public key file looks like:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-20080725, 2048-bit DSA, kchan@ckc-pc"

OpenSSH based ssh-keygen will do the conversion for you with the "-e" switch.

Also are you sure that you have specified the path to the private key identification file correctly on the IBM side?

Khee
0 Kudos
Reply
Rene Rodrigue
Occasional Advisor

тАО07-03-2010 04:44 AM

тАО07-03-2010 04:44 AM

Re: SFTP Difficulty from IBM to OpenVMS

I was told the OS running on the IBM side is z. He stated 1.09. This was
yesterday before I logged the call within the forum so I am not sure if
he meant 10.9, etc. I believe the key is SSH and not SSH2 format.

Directory SYS$SYSDEVICE:[AAA_TEST.SSH2]

AUTHORIZATION.;10
BATSFTP-IBMHOST.PUB;2
AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB;2
AAA_TEST-SSH_PUBLICKEY_IBMHOST_HSMV_STATE_FL_US.PUB;2
DSA1024_FOR_AUTHORIZED_KEYS.PUB;2

FTPGWY::RODRIGUER: type AUTHORIZATION.;10
KEY DSA1024_FOR_AUTHORIZED_KEYS.PUB
KEY AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB
KEY AAA_TEST-SSH_PUBLICKEY_IBMHOST_HSMV_STATE_FL_US.PUB
KEY BATSFTP-IBMHOST.PUB

FTPGWY::RODRIGUER: TYPE AAA_TEST-SSH_PUBLICKEY_IBMHOST_HSMV_STATE_FL_US.PUB
ssh-dss AAAAB3NzaC1kc3MAAACBAN+QI07pvPeTHtAy7Ey6FMNu3mHYGr36Zj+wx36i6biKqsljz6R69M/NcrdMDDQGUxhYYyTUyVUqcU+iVJEQZvLZnh
J4nIQ3OxmZVt4CZFVbbgO1hjhtsCPVLELrCJJehyLG/6WQURYxHeMtgbu9LThGNTi4tY38C7nibabsGICnAAAAFQDQvFb4POY+tfRtKFlD0MFHPzTOXQAA
AIBgew0gZOngYkMOE4cR0j3I0qu43lz3F2XfUw5Db3rzggkL9xOctW4sdGycnSEYMbgPKAml9HqzsmsmcCyFHYDKIEJHYFTJwOUsukZZpWBi5+FxFMzsAB
UuGl2dLajAlo9IHQxz+9GcUy71Z0HttZE6FvkZV+7qkOFosMSL+vhJKwAAAIEAntyGskIREzebqdzheG/4doGRIcCtmdpG3H9g/b4dzINS1/DSX6H0XleY
AMC78ZXrZl41DF3pVuihI6H4Jhb0H63XJ4rI2gA34JS0h46xQoK612eHkAi/VEhORoM0Frs9fzRGebWpZub9WwZHuXNAguBbpKwCehUsRtpoqAxyrJw= 1
024-bit dsa, BATSFTP@IBMHOST, Thu Mar 08 2007 12:31:57

FTPGWY::RODRIGUER: TYPE TCPIP$SSH_RUN.LOG;10
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
%PURGE-W-FILNOTPUR, error deleting SYS$SYSDEVICE:[TCPIP$SSH]TCPIP$SSH_RUN.LOG;4
-RMS-E-FLK, file currently locked by another user
Fri 02 14:10:28 INFORMATIONAL: Starting image in auxiliary server mode.
Fri 02 14:10:28 INFORMATIONAL: connection from "204.90.30.243"
Fri 02 14:10:29 WARNING: Converting file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST-SSH_PUBLICKEY_IBMHOST_HSMV_STATE_FL_US.
PUB to Stream_LF.
Fri 02 14:10:29 WARNING: File /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST-SSH_PUBLICKEY_IBMHOST_HSMV_STATE_FL_US.PUB convert
ed successfully to Stream_LF.
Fri 02 14:10:29 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST-SSH_PUBLICKEY:IBMHOST.HSMV.
STATE.FL.US.PUB.
Fri 02 14:10:30 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST-SSH_PUBLICKEY:IBMHOST.HSMV.
STATE.FL.US.PUB.
Fri 02 14:10:30 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST-SSH_PUBLICKEY:IBMHOST.HSMV.
STATE.FL.US.PUB.
Fri 02 14:10:30 INFORMATIONAL: Remote host disconnected: No further authentication methods available.
Fri 02 14:10:30 INFORMATIONAL: no more authentication methods on remote: 'No further authentication methods available.
'
TCPIP$SSH job terminated at 2-JUL-2010 14:10:30.79

Accounting information:
Buffered I/O count: 692 Peak working set size: 10544
Direct I/O count: 397 Peak virtual size: 183584
Page faults: 1062 Mounted volumes: 0
Charged CPU time: 0 00:00:00.92 Elapsed time: 0 00:00:03.01
FTPGWY::RODRIGUER: TYPE TCPIP$SSH_RUN.LOG;09
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
%PURGE-W-FILNOTPUR, error deleting SYS$SYSDEVICE:[TCPIP$SSH]TCPIP$SSH_RUN.LOG;4
-RMS-E-FLK, file currently locked by another user
Fri 02 13:28:49 INFORMATIONAL: Starting image in auxiliary server mode.
Fri 02 13:28:49 INFORMATIONAL: connection from "204.90.30.243"
Fri 02 13:28:50 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST@IBMHOST.HSMV.STATE.FL.US.PU
B.
Fri 02 13:28:50 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST@IBMHOST.HSMV.STATE.FL.US.PU
B.
Fri 02 13:28:51 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST@IBMHOST.HSMV.STATE.FL.US.PU
B.
Fri 02 13:28:51 INFORMATIONAL: Remote host disconnected: No further authentication methods available.
Fri 02 13:28:51 INFORMATIONAL: no more authentication methods on remote: 'No further authentication methods available.
'
TCPIP$SSH job terminated at 2-JUL-2010 13:28:51.51

Accounting information:
Buffered I/O count: 654 Peak working set size: 11136
Direct I/O count: 383 Peak virtual size: 183312
Page faults: 844 Mounted volumes: 0
Charged CPU time: 0 00:00:00.83 Elapsed time: 0 00:00:02.68
FTPGWY::RODRIGUER: TYPE TCPIP$SSH_RUN.LOG;08
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Fri 02 13:27:59 INFORMATIONAL: Starting image in auxiliary server mode.
Fri 02 13:27:59 INFORMATIONAL: connection from "204.90.30.243"
Fri 02 13:28:01 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST@IBMHOST.HSMV.STATE.FL.US.PU
B.
Fri 02 13:28:01 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST@IBMHOST.HSMV.STATE.FL.US.PU
B.
Fri 02 13:28:02 WARNING: Error trying to access file /sys$sysdevice/AAA_TEST/ssh2/AAA_TEST@IBMHOST.HSMV.STATE.FL.US.PU
B.
Fri 02 13:28:02 INFORMATIONAL: Remote host disconnected: No further authentication methods available.
Fri 02 13:28:02 INFORMATIONAL: no more authentication methods on remote: 'No further authentication methods available.
'
TCPIP$SSH job terminated at 2-JUL-2010 13:28:02.24

Accounting information:
Buffered I/O count: 652 Peak working set size: 10752
Direct I/O count: 382 Peak virtual size: 183312
Page faults: 830 Mounted volumes: 0
Charged CPU time: 0 00:00:00.91 Elapsed time: 0 00:00:03.04
FTPGWY::RODRIGUER: TYPE TCPIP$SSH_RUN.LOG;07
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Fri 02 13:23:07 INFORMATIONAL: Starting image in auxiliary server mode.
Fri 02 13:23:07 INFORMATIONAL: connection from "204.90.25.198"
Fri 02 13:23:09 INFORMATIONAL: Remote host disconnected: No further authentication methods available.
Fri 02 13:23:09 INFORMATIONAL: no more authentication methods on remote: 'No further authentication methods available.
'
TCPIP$SSH job terminated at 2-JUL-2010 13:23:09.51

Accounting information:
Buffered I/O count: 634 Peak working set size: 10704
Direct I/O count: 357 Peak virtual size: 183312
Page faults: 835 Mounted volumes: 0
Charged CPU time: 0 00:00:00.84 Elapsed time: 0 00:00:02.65
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО07-03-2010 07:19 AM

тАО07-03-2010 07:19 AM

Re: SFTP Difficulty from IBM to OpenVMS

> [...] the OS running on the IBM side is z.

Ok. I know approximately nothing about z/OS
or the SSH software there.

> I believe the key is SSH and not SSH2
> format.

OpenSSH.

> ssh-dss AAAAB3Nz[...]

One long line, right? That looks like an
OpenSSH-format key, which is not what the
VMS TCPIP SSH software wants. I believe that
the ssh_keygen program on your VMS system is
not smart enough to convert what you have
into what you need, but an OpenSSH ssh-keygen
program should have a "-e" option which will
let you do the job. Perhaps the folks with
the z/OS system can do it. Otherwise, you
may need to find some UNIX (-like) system
with OpenSSH installed on it.


> ---- BEGIN SSH2 PUBLIC KEY ----
> [...]

Yup. That's what you need.


> [...] WARNING: Error trying to access file
> [...]

I see the various funny file names there, and
I know nothing, but I'd guess that it's
trying various possibilities after it had
trouble with the original (wrong-format) key
file.

Step one is to get an SSH2-format key file.
_Then_, if it's still confused, I'd start to
worry about any other complaints from the
SSH server.
0 Kudos
Reply
Khee Chan
Advisor

тАО07-03-2010 11:50 AM

тАО07-03-2010 11:50 AM

Re: SFTP Difficulty from IBM to OpenVMS

Rene.

I don't known anything about z/OS either (my OS/370 experience is in the dim and distant past).

I assume your person on the IBM side has access to some form of a command line to run sftp and is not doing it from some GUI or other shell. I also assume that the IBM side is running some form of an OpenSSH port.

Bearing the above assumptions in mind, I would recommend that you proceed as follows:

0) On the IBM, ensure that the default SSH identify file (id_dsa or id_rsa depending on the type used) matches the corresponding private key file for AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB . If you do not want to do change the default private key file, "man sftp" to find out have to specify the command line option to use a non-default private key file.

1) On the IBM, issue the command (change name of public key file as necessary) {beware of line wrapping and location of white spaces below, "$" denotes the command prompt}:

$ ssh-keygen -f AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB -e > AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB_IETF
$

2) Verify first two lines of AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB_IETF is of the correct form. See previous posting.

3) Transfer (as plain text ASCII) AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB_IETF to the OpenVMS system and place it in the target [username.ssh2] directory.

4) Login to OpenVMS system and go to [username.SSH2].

5) Type out AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB_IETF to verify that it still looks the same as in step 2.

6) Add entry to the OpenVMS AUTHORIZATION. file thus:

$ APPEND SYS$INPUT AUTHORIZATION
KEY AAA_TEST-IBMHOST_HSMV_STATE_FL_US.PUB_IETF
Ctrl-Z
$

7) Retry sftp and report results especially relevant lines from log file in [TCPIP$SSH.SSH].


-----
Khee
0 Kudos
Reply
Rene Rodrigue
Occasional Advisor

тАО07-04-2010 05:13 AM

тАО07-04-2010 05:13 AM

Re: SFTP Difficulty from IBM to OpenVMS

I will try all of the suggestions listed. I do have several unix machines running ssh so I will try the ssy_keygen -e there. The IBM person is out until Wednesday and he does not have a backup. I will report the results as soon as I have them.

Thanks for all the help.

Rene
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО07-04-2010 07:20 AM

тАО07-04-2010 07:20 AM

Re: SFTP Difficulty from IBM to OpenVMS

> [..] I do have several unix machines
> running ssh so I will try the ssy_keygen
> -e there. [...]

I'd start with "man ssh-keygen". The key
import/export options have changed some over
the years in some places.
0 Kudos
Reply
Rene Rodrigue
Occasional Advisor

тАО07-21-2010 07:21 AM

тАО07-21-2010 07:21 AM

Re: SFTP Difficulty from IBM to OpenVMS

Sorry for the delayed response in updating this thread. The IBM system manager was out longer than I anticipated.

I converted the key to SSH2 format via a Unix machine, then converted it to STREAM LF on the OpenVMS system. Once this was completed, the SFTP session was successful. Thanks to everyone for your help in resolving this issue.

Sincerely,

Rene
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.