HPE Community
Operating System - OpenVMS
1753803 Members
7739 Online
108805 Solutions
New Discussion юеВ

Re: SFTP in batch mode - Re: thread 985928

 
Erik Harclerode
Advisor

тАО02-12-2008 08:21 AM

тАО02-12-2008 08:21 AM

SFTP in batch mode - Re: thread 985928

Hi,
My apologies in advance for the long thread but I tried to be thorough and answer as many questions up front. I've done lots of searching on these forums and it seems that the definitive thread for SFTP in batch mode is this thread:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=985928

After looking it over I still have a few questions.

First, my situation is that I'm trying to FTP from OpenVMS to an external Unix server. I, the client, am set up to accept all forms of authentication. The server is set up to accept publickey and password authentication. I am able to connect successfully manually, but not through batch mode. When I do connect manually it asks for 2 passwords: first the key password and then the account password.

I've created a file named batchtest.txt located in a drive named DSA106:[programmer]. I've also set up my IDENTIFICATION. file to point to the proper key as well as the SSH2_CONFIG. file to be set up with the host I'm trying to connect to, I'll call it "testhost" in this example.

I try to connect as follows at the $ prompt:
SFTP "-B" DSA106:[programmer]batchtest.txt testhost

batchtest.txt looks as follows:
"""[lf]

where [lf} is the ascii line feed command (in editor I used CTRL-V then CTRL-J)

After executing my SFTP command I receive this error:
Authentication failed.
Disconnected; authentication cancelled by user (Authentication cancelled by user
.).
FATAL: ssh2 client failed to authenticate. (or you have too old ssh2 installed,
check with ssh2 "-V")

%TCPIP-F-SSH_FATAL, non-specific fatal error condition


Here is further information from -v:
debug: server offers auth methods 'publickey,password'.
debug: Ssh2AuthPubKeyClient/AUTHC-PUBKEY.C:1682: adding keyfile "/DSA106/program
mer/ssh2/ID_DSA_2048_A" to candidates
debug: Constructing and sending signature in publickey authentication.
debug: Ssh2AuthPubKeyClient/AUTHC-PUBKEY.C:874: ssh_client_auth_pubkey_send_sign
ature: reading /DSA106/programmer/ssh2/ID_DSA_2048_A
debug: Ssh2Common/SSHCOMMON.C:185: DISCONNECT received: Authentication cancelled
by user.


I've tried everything I could find online and have had no success, so I was hoping someone else could shed some light on this situation for me. What am I doing wrong?

I also notice in the 985928 thread that he uses something called login.com. I have a login.com on the system but there is nothing in it, so I don't see how it would add value to my batch mode.

Any help would be appreciated.
0 Kudos
19 REPLIES 19
Volker Halle
Honored Contributor

тАО02-12-2008 09:12 AM

тАО02-12-2008 09:12 AM

Re: SFTP in batch mode - Re: thread 985928

Erik,

I have been able to set up hostbased authentication based on the SSH manual pointed to in the other thread more than 2 years ago. I've never used it again since, so I would have to start all over now...

Maybe the fundamental misunderstanding is, that you can't use passwords stored in files with SFTP in batch mode. You need to configure hostbased authentication and this needs to be done both on the SSH client and SSH server.

Volker.
0 Kudos
M├еrten Holmberg
New Member

тАО02-19-2008 04:18 AM

тАО02-19-2008 04:18 AM

Re: SFTP in batch mode - Re: thread 985928

Hi,
we uses SFTP in batch with publickey and not hostbased authentication.

This is how we got it to work.

$ ! Load key-pair to memory
$ ! -----------------------------------
$ SET NOVER ! Hide passwords from log
$ @sys$manager:tcpip$define_commands
$ open/write add_file temp.file
$ write add_file "$ssh_add -p id_dsa_ssh2"
$ write add_file "''pwd'"
$ close add_file
$
$ ssh_agent
$ wait 00:00:10 ! Wait for SSH_AGENT to start
$ @temp.file
$ delete/log temp.file;*
$ REST_VERIFY ! Restore Verify state
$ ssh_add -l ! List the key we loaded
$
... create sftp-batchfile...
... convert it to streamLF...
$
$ sftp "-B" sftp-batch.file "''usr'"@'host'
$

We get have a password database that we call to get the symbols HOST, USR and PWD and the symbol REST_VERIFY is setup to restore the verify state to what it was before we used the password.

Try a test batch-file with something like:
ls[lf]
exit[lf]
in it at first.

I'm not sure that the wait for the SSH_AGENT is needed, but when we exerimented to get this to work we sometimes got an agent error.

Hope this helps

/M├Г┬еrten
0 Kudos
Steven Schweda
Honored Contributor

тАО02-19-2008 08:12 AM

тАО02-19-2008 08:12 AM

Re: SFTP in batch mode - Re: thread 985928

In any situation where you would need to
store a password/passphrase in a file, you
may wish to consider not using a scheme which
requires that password/passphrase. In this
case, using a no-passphrase public key for
SSH/SFTP. Storing a datum like this in a
file tends to defeat any added security which
it might otherwise add to the scheme.

I normally use a no-passphrase public key for
SSH (and seldom use SFTP), so I know nothing,
but I would expect any interactive passkey
request to be made explicitly to the user's
terminal, not to any batch file, if only to
discourage users from storing passdata in a
file.

> where [lf} is the ascii line feed command
> (in editor I used CTRL-V then CTRL-J)

If I thought that the LF was important, I'd
create/convert to a Record format: Stream_LF
file, instead of trying to add delimiters to
a file which already has some kind of record
separator scheme.
0 Kudos
Thomas Ritter
Respected Contributor

тАО02-19-2008 02:55 PM

тАО02-19-2008 02:55 PM

Re: SFTP in batch mode - Re: thread 985928

SFTP from VMS to non-VMS usually trips up in the file format of the keys generated. There maybe a conversion step required on the other end to make sure the keys are in the correct format. VMS is really foreign to these UNIX hosts !
What is the other end ? We maybe able to help.
Are you able to SSH to the remote end ?

Whose implementation of SFTP are you using ?

0 Kudos
John Gillings
Honored Contributor

тАО02-19-2008 03:46 PM

тАО02-19-2008 03:46 PM

Re: SFTP in batch mode - Re: thread 985928

Erik,

Is there a reason you can't use a public key? Once that's configured properly, both SSH and SFTP work between systems without the need to feed passwords in.

As Thomas said, the biggest hurdle is getting the key file in the right format across different platforms. I don't think there's any universal advice. I think I tried generating keys at both ends, compared key files, and CONVERTed the file from the VMS end to look like the one at other end.

That said, have you tried changing your characters into s in the batch file? I'd also try it without quotes.

I've also found that SSH and SFTP seem to care about where SYS$COMMAND comes from. In some cases immediately preceeding the command with:

$ DEFINE/USER SYS$COMMAND NL:

has solved odd behaviour.
A crucible of informative mistakes
0 Kudos
Steven Schweda
Honored Contributor

тАО02-19-2008 09:32 PM

тАО02-19-2008 09:32 PM

Re: SFTP in batch mode - Re: thread 985928

> Is there a reason you can't use a public
> key? Once that's configured properly, both
> SSH and SFTP work between systems without
> the need to feed passwords in.

That depends on how you created the key,
which can be done with or without a
passphrase. For example, without:

alp $ ssh alp
Authentication successful.
@ SYS$MANAGER:ANNOUNCE.TXT [Great software.]
[...]

Or with:

alp $ ssh -i identification._pp alp
Passphrase for key "/ALP$DKA0/sms/ssh2/SMS_ID_DSA_1024_A" with comment "1024-bit
dsa, sms@alp.antinode.org, Fri Jun 27 2003 03:57:52":

Authentication successful.
@ SYS$MANAGER:ANNOUNCE.TXT
[...]


> As Thomas said, the biggest hurdle [...]

I'll admit that it would be nice to know that
a plain SSH works properly before diving into
messy SFTP procedures.
0 Kudos
M├еrten Holmberg
New Member

тАО02-19-2008 11:46 PM

тАО02-19-2008 11:46 PM

Re: SFTP in batch mode - Re: thread 985928

Hi,
I don't know about Erik's environment, but in our case the keyfile is given to us from the host, so we can't have one without passphrase.

The example I gave works for us, but if I could choose, I'd use a keyfile without a passphrase.

Regarding the [lf] and/or stream_lf, you just have to test until you find the "thing" that works between your client and that host. And be prepared to test again if they, or you, applies any patches etc. to the sftp client/server.

/M├Г┬еrten
0 Kudos
Erik Harclerode
Advisor

тАО02-20-2008 05:19 AM

тАО02-20-2008 05:19 AM

Re: SFTP in batch mode - Re: thread 985928

I have created a new key without a password and sent it over to the person on the receiving end. I just got word that they have it all loaded so I will attempt to connect again in batch mode and see what happens.

My only concern now is that their system requires a user name and password to login so I'm wondering if this will work from the batch file or not. I guess I'll find out shortly!

Thanks for your continued support!
0 Kudos
Erik Harclerode
Advisor

тАО02-20-2008 10:51 AM

тАО02-20-2008 10:51 AM

Re: SFTP in batch mode - Re: thread 985928

Ok, good news.... once I created a new key without a password I am able to authenticate without a problem. Now I am unable to get it to read my batch file for the account password. Any ideas on how to pass this password in?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.