When using FTP-SSH PROXY from the mainframe to a client in batch mode we got the following error:
530 Ftp server login failed, response='530 Permission denied.'
EZA1735I Std Return Code = 26530, Error Code = 00011
EZA1534I *** Control connection with 196.XX.XXX.XXX dies.
The Proxy started task reflects the following:
2010-02-16 15:25:48,524 INFO FtpControlSession./10.XX.XXX.XX:2123. - SSH control channel started to 196.XX.XXX.XXX:21
2010-02-16 15:25:48,705 WARN FtpControlSession./10.XX.XXX.XX:2123. ./196.XX.XXX.XXX:21. - Exception starting connection
java.io.IOException: Ftp server login failed, response='530 Permission denied.'
.at com.dovetail.ftpsshproxy.FtpControlSession.processServerFtpLogin(FtpControlSession.java:200)
.at com.dovetail.ftpsshproxy.FtpControlSession.startConnection(FtpControlSession .java:131)
.at com.dovetail.ftpsshproxy.FtpControlSession.run(FtpControlSession.java:76)
.at com.dovetail.ftpsshproxy.ProxyConnection.runProxySession(ProxyConnection.java:135)
.at com.dovetail.ftpsshproxy.ProxyConnection.doRun(ProxyConnection.java:91)
.at com.dovetail.ftpsshproxy.ProxyConnection.run(ProxyConnection.java:72)
.at java.lang.Thread.run(Thread.java:571)
2010-02-16 15:25:48,712 INFO FtpControlSession./10.XX.XXX.XX:2123. ./196.XX.XXX.XXX:21. - disconnected SSH
2010-02-16 15:25:48,713 INFO ProxyConnection./10.XX.XXX.XX:2123. ./196.XX.XXX.XXX:21. - control connection closed
My understanding is that i only need to open Port 22 through the firewall.
Do i also need to open Port 21 on the firewall as per my logs above?
If Port 21 needs to be opened, is the Control Connection secure?
FTP-SSH Proxy firewall requirements.
I don't believe that you have a firewall issue.
What your trace shows is that the ssh tunnel is being setup fine to the remote FTP server, but that the FTP server is rejecting the USERID command (to login) with a "530 permission denied".
Remember that the remote SSHD server uses SSH port forwarding to open a connection to the FTPD server using the "localhost" ip address and port 21. Perhaps the remote FTP server does not accept logins on the localhost adapter? That seems unlikely. It seems more likely that the FTP server doesn't like something about the userid ( at the point of failure, the password has not been sent yet). For Co:Z FtpSSHProxy, the FTPD server must accept the same userid (and password) that was used to login to the remote SSHD server. In your case we know that the SSHD server accepted it, since it is past that point.
What your trace shows is that the ssh tunnel is being setup fine to the remote FTP server, but that the FTP server is rejecting the USERID command (to login) with a "530 permission denied".
Remember that the remote SSHD server uses SSH port forwarding to open a connection to the FTPD server using the "localhost" ip address and port 21. Perhaps the remote FTP server does not accept logins on the localhost adapter? That seems unlikely. It seems more likely that the FTP server doesn't like something about the userid ( at the point of failure, the password has not been sent yet). For Co:Z FtpSSHProxy, the FTPD server must accept the same userid (and password) that was used to login to the remote SSHD server. In your case we know that the SSHD server accepted it, since it is past that point.
Re: FTP-SSH Proxy firewall requirements.
It seems more likely that the FTP server doesn't like something about the userid ( at the point of failure, the password has not been sent yet). For Co:Z FtpSSHProxy,????
== Solitaire ==
Re: FTP-SSH Proxy firewall requirements.
Good Afternoon,
Any resolution to this?
I am having the exact same issue. My "FTP Expert" at first made fun of me because he said I was putting in the wrong password. However, after showing him what I was doing and verifying the PW, he realized that wasn't the case.
After much trial, error and hair pulling, I was able to transfer the file over to another system.
Came back from lunch, submitted the exact same job, the error returned. Able to replicate the error, but not the RC=00 job. Here is the error I see
530-WARNING: SSH Tectia FTP Tunneling error (Addr: xxx.xxx.xxx Port: 21)
530-WARNING: Ok.
530-WARNING: *** FALL BACK TO PLAIN FTP ***
530-
530 PASS command failed
EZA1735I Std Return Code = 26530, Error Code = 00011
EZA1534I *** Control connection with xxx-xxx-xxx dies.
I also saw on another message board, the following thread from 2010....to which no follow up posts were posted.
"we have had the saem problem on our z10 system, but on Saturday it rejects the password/logon but on Sunday it accepts the SAME JCL with the same error code"
Any resolution to this?
I am having the exact same issue. My "FTP Expert" at first made fun of me because he said I was putting in the wrong password. However, after showing him what I was doing and verifying the PW, he realized that wasn't the case.
After much trial, error and hair pulling, I was able to transfer the file over to another system.
Came back from lunch, submitted the exact same job, the error returned. Able to replicate the error, but not the RC=00 job. Here is the error I see
530-WARNING: SSH Tectia FTP Tunneling error (Addr: xxx.xxx.xxx Port: 21)
530-WARNING: Ok.
530-WARNING: *** FALL BACK TO PLAIN FTP ***
530-
530 PASS command failed
EZA1735I Std Return Code = 26530, Error Code = 00011
EZA1534I *** Control connection with xxx-xxx-xxx dies.
I also saw on another message board, the following thread from 2010....to which no follow up posts were posted.
"we have had the saem problem on our z10 system, but on Saturday it rejects the password/logon but on Sunday it accepts the SAME JCL with the same error code"
Re: FTP-SSH Proxy firewall requirements.
It looks like you are using SSH Tectia, and not Co:Z.
Re: FTP-SSH Proxy firewall requirements.
Figured it out....I think
After multiple failed FTP jobs.....the failed attempts are caught by ACF2, and lock the ID. Since I was still logged on to the other system and able to work, I didn't notice. I closed my session, and when I reopened it, my account was locked for too many invalid pw attempts. After having the security group reset my PW, the ftp job ran successfully.
A Question remains...if the PW was correct in the batch job...what would cause the account to lock for too many unsuccessful attempts? As it stands, I am claiming a moral victory on that batch job, and will see if it goes belly up again.
After multiple failed FTP jobs.....the failed attempts are caught by ACF2, and lock the ID. Since I was still logged on to the other system and able to work, I didn't notice. I closed my session, and when I reopened it, my account was locked for too many invalid pw attempts. After having the security group reset my PW, the ftp job ran successfully.
A Question remains...if the PW was correct in the batch job...what would cause the account to lock for too many unsuccessful attempts? As it stands, I am claiming a moral victory on that batch job, and will see if it goes belly up again.
-
gloriawalton
- Posts: 1
- Joined: Sat May 27, 2017 2:53 am
- Location: USA
- Contact:
Re: FTP-SSH Proxy firewall requirements.
I seem like FTP-SSH PROXY blocked by firewall. I suggest allowing access to it. Hope it works for you. You should grant permission for FTP-SSH Proxy.
Marketing Manager At Microleaves Dedicated Proxies Company.