Permission Denied

Discussion of the COZBATCH utility for z/OS
Post Reply
ChuckCottrell
Posts: 4
Joined: Wed Oct 13, 2021 8:31 am

Permission Denied

Post by ChuckCottrell »

OK. Getting FOTS1346 Permission Denied.
I've tried it with an 80-byte PW file down to a 8-byte PW file.
There are no sequence numbers anywhere.
I've manually logged into the server from OMVS on a Z/OS LPAR without issue, so I know the PW is good and that the port is open.

ANY help would be appreciated.

Here are the control statements the batch job:

rmtuser="NJSFTPD"
server="10.13.98.98"
coz_bin='/usr/local/coz621/bin'
export DISPLAY=none
ssh_opts="-oBatchMode=no"
ssh_opts="$ssh_opts -F/etc/ssh/ssh_config_nj_STD"
ssh_opts="$ssh_opts -oConnectTimeout=60"
ssh_opts="$ssh_opts -oServerAliveInterval=60"
ssh_opts="$ssh_opts -oStrictHostKeyChecking=no"
export PASSWD_DSN='//TSOSPCC.SFTP.CNTL(NJSFTPD)'
export SSH_ASKPASS=$coz_bin/read_passwd_dsn.sh
export DISPLAY=none
mvsfile='//DD:TODASD1'
rmtfile='/oracle/WEEKLY/drivers/RMODtoSAR/acaprov/acaprov.txt'
$coz_bin/cozsftp -vvv $ssh_opts -b- $rmtuser@$server <<EOB
lzopts mode=TEXT
lpwd
pwd
get $rmtfile $mvsfile -r
rm '/oracle/WEEKLY/drivers/RMODtoSAR/acaprov/acaprov.txt'


Here's the output:

CoZBatch[N]: version: 6.2.1 2021-01-15
CoZBatch[N]: Copyright (C) Dovetailed Technologies, LLC. 2005-2021. All rights reserved.
<- ()
CoZBatch: executing progname=login-shell="-/bin/sh"
Co:Z SFTP version: 6.2.1 (7.6p1) 2021-01-15
Copyright (C) Dovetailed Technologies, LLC. 2008-2021. All rights reserved.
ZosSettings[W]: Fixed section found in user config file - ignoring
Connecting to 10.13.98.98...
[04:48:58.721870] debug3: connect_to_server arg=/bin/ssh
[04:48:58.721923] debug3: connect_to_server arg=-oForwardX11 no
[04:48:58.721944] debug3: connect_to_server arg=-oForwardAgent no

[04:48:58.721965] debug3: connect_to_server arg=-oClearAllForwardings yes

[04:48:58.721985] debug3: connect_to_server arg=-v

[04:48:58.722001] debug3: connect_to_server arg=-v

[04:48:58.722022] debug3: connect_to_server arg=-v

[04:48:58.722038] debug3: connect_to_server arg=-o

[04:48:58.722058] debug3: connect_to_server arg=BatchMode=no

[04:48:58.722075] debug3: connect_to_server arg=-F

[04:48:58.722095] debug3: connect_to_server arg=/etc/ssh/ssh_config_nj_STD

[04:48:58.722112] debug3: connect_to_server arg=-o

[04:48:58.722132] debug3: connect_to_server arg=ConnectTimeout=60

[04:48:58.722149] debug3: connect_to_server arg=-o

[04:48:58.722169] debug3: connect_to_server arg=ServerAliveInterval=60

[04:48:58.722190] debug3: connect_to_server arg=-o

[04:48:58.722206] debug3: connect_to_server arg=StrictHostKeyChecking=no

[04:48:58.722227] debug3: connect_to_server arg=-obatchmode yes

[04:48:58.722247] debug3: connect_to_server arg=-l

[04:48:58.722263] debug3: connect_to_server arg=NJSFTPD

[04:48:58.722284] debug3: connect_to_server arg=-oProtocol 2

[04:48:58.722300] debug3: connect_to_server arg=-s

[04:48:58.722320] debug3: connect_to_server arg=--

[04:48:58.722337] debug3: connect_to_server arg=10.13.98.98

[04:48:58.722357] debug3: connect_to_server arg=sftp

[04:48:58.790585] debug2: setting ssh _CEE_RUNOPTS=HEAP(12M,1M,,FREE),ENVAR("_CEE_REALLOC_CONTROL=256K,25")

OpenSSH_6.4, OpenSSL 1.0.2h 3 May 2016

debug1: Reading configuration data /etc/ssh/ssh_config_nj_STD

debug3: cipher ok: aes256-cbc [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: aes192-cbc [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: aes128-cbc [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: aes128-ctr [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: aes192-ctr [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: aes256-ctr [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: rijndael-cbc@lysator.liu.se [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijnda
el-cbc@lysator.liu.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: 3des-cbc [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.liu.
se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: arcfour128 [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: arcfour256 [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.li
u.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: blowfish-cbc [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.
liu.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: cast128-cbc [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.l
iu.se,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: cipher ok: arcfour [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.liu.s
e,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug3: ciphers ok: [aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.liu.se,3des-
cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]

debug2: mac_setup: found hmac-sha2-256

debug3: mac ok: hmac-sha2-256 [hmac-sha2-256,hmac-sha2-512]

debug2: mac_setup: found hmac-sha2-512

debug3: mac ok: hmac-sha2-512 [hmac-sha2-256,hmac-sha2-512]

debug3: macs ok: [hmac-sha2-256,hmac-sha2-512]

debug1: Reading configuration data /etc/ssh/zos_ssh_config

debug3: setUseZEDC: 0

debug1: zsshSmfSetConnSmfStatus: SMF status is 0

debug2: ssh_connect: needpriv 0

debug1: Connecting to 10.13.98.98 [10.13.98.98] port 22.

debug2: fd 3 setting O_NONBLOCK

debug1: fd 3 clearing O_NONBLOCK

debug1: Connection established.

debug1: cipher_init: none from source OpenSSL, used in non-FIPS mode

debug1: cipher_init: none from source OpenSSL, used in non-FIPS mode

debug3: timeout: 59999 ms remain after connect

debug1: permanently_set_uid: 0/1

debug3: zsshGetpw: passwd name=TSOSPCC, uid=0, gid=1, dir=/, shell=/bin/sh

debug3: Incorrect RSA1 identifier

debug3: Could not load "/etc/ssh/id_rsa.pub" as a RSA1 public key

debug1: identity file /etc/ssh/id_rsa.pub type 1

debug1: identity file /etc/ssh/id_rsa.pub-cert type -1

debug3: Incorrect RSA1 identifier

debug3: Could not load "/etc/ssh/id_dsa.pub" as a RSA1 public key

debug1: identity file /etc/ssh/id_dsa.pub type 2

debug1: identity file /etc/ssh/id_dsa.pub-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.4

debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.9

debug1: no match: Sun_SSH_1.1.9

debug2: fd 3 setting O_NONBLOCK

debug3: load_hostkeys: loading entries for host "10.13.98.98" from file "/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file /.ssh/known_hosts:11

debug3: load_hostkeys: loaded 1 keys

debug3: load_hostkeys: loading entries for host "10.13.98.98" from file "/etc/ssh/ssh_known_hosts"

debug3: load_hostkeys: loaded 0 keys

debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v0
1@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh
.com,ssh-dss-ce
rt-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss

debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.liu.se
,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour

debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,rijndael-cbc@lysator.liu.se
,3des-cbc,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour

debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512

debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha256,diffie-hellman-
group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour

debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5
,hmac-md5-96

debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5
,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: af-ZA,ar-EG,ar-SA,bg-BG,bn-IN,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,
en-CA,en-GB,en-IE,en-IN,en-MT,en-NZ,en-SG,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-
PE,es-PY,es-SV,
es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,gu-IN,he-IL,hi-IN,hr-HR,hu-HU,id-ID,is-IS,it,it-IT,ja-JP,kk-KZ,
kn-IN,ko,ko-KR,lt-LT,lv-LV,mk-MK,mr-IN,ms-MY,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-
SK,sl-SI,sq-AL,
sr-CS,sv,sv-SE,ta-IN,te-IN,th-TH,tr-TR,uk-UA,zh,zh-CN,zh-HK,zh-SG,zh-TW,ar,ca,cz,da,el,et,fi,he,hu,ja,lt,lv,nl,no,no-NO,
no-NY,nr,pt,sr-SP,sr-YU,th,tr,i-default

debug2: kex_parse_kexinit: af-ZA,ar-EG,ar-SA,bg-BG,bn-IN,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,
en-CA,en-GB,en-IE,en-IN,en-MT,en-NZ,en-SG,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-
PE,es-PY,es-SV,
es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,gu-IN,he-IL,hi-IN,hr-HR,hu-HU,id-ID,is-IS,it,it-IT,ja-JP,kk-KZ,
kn-IN,ko,ko-KR,lt-LT,lv-LV,mk-MK,mr-IN,ms-MY,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-
SK,sl-SI,sq-AL,
sr-CS,sv,sv-SE,ta-IN,te-IN,th-TH,tr-TR,uk-UA,zh,zh-CN,zh-HK,zh-SG,zh-TW,ar,ca,cz,da,el,et,fi,he,hu,ja,lt,lv,nl,no,no-NO,
no-NY,nr,pt,sr-SP,sr-YU,th,tr,i-default

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug1: mac_setup_by_alg: hmac-sha2-256 from source OpenSSL, used in non-FIPS mode

debug2: mac_setup: found hmac-sha2-256

debug1: kex: server->client aes128-ctr hmac-sha2-256 none

debug1: mac_setup_by_alg: hmac-sha2-256 from source OpenSSL, used in non-FIPS mode

debug2: mac_setup: found hmac-sha2-256

debug1: kex: client->server aes128-ctr hmac-sha2-256 none

debug1: choose_kex: diffie-hellman-group-exchange-sha256 from source OpenSSL, used in non-FIPS mode

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 265/512

debug2: bits set: 2061/4095

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA MD5 fp b3:1e:ea:55:3a:2b:8e:a7:36:d1:9f:83:d0:7a:39:32

debug3: load_hostkeys: loading entries for host "10.13.98.98" from file "/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file /.ssh/known_hosts:11

debug3: load_hostkeys: loaded 1 keys

debug3: load_hostkeys: loading entries for host "10.13.98.98" from file "/etc/ssh/ssh_known_hosts"

debug3: load_hostkeys: loaded 0 keys

debug1: Host '10.13.98.98' is known and matches the RSA host key.

debug1: Found key in /.ssh/known_hosts:11

debug2: bits set: 2047/4095

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: cipher_init: aes128-ctr from source OpenSSL, used in non-FIPS mode

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: cipher_init: aes128-ctr from source OpenSSL, used in non-FIPS mode

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /etc/ssh/id_rsa.pub (1AEF8E10), explicit

debug2: key: /etc/ssh/id_dsa.pub (1AF05D68), explicit

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive

debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive

debug3: preferred password

debug3: authmethod_lookup password

debug3: remaining preferred:

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device. (errno2=0x056201A9)

debug1: permanently_drop_suid: 0

/usr/local/coz621/bin/read_passwd_dsn.sh prompt: "NJSFTPD@10.13.98.98's password: "
fromdsn(TSOSPCC.UTIL.JCL(NJSFTPD))[N]: 1 records/80 bytes read; 81 bytes written in 0.001 seconds (79.102 KBytes/sec).
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

FOTS1346 Permission denied, please try again.

debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device. (errno2=0x056201A9)

debug1: permanently_drop_suid: 0

/usr/local/coz621/bin/read_passwd_dsn.sh prompt: "NJSFTPD@10.13.98.98's password: "
fromdsn(TSOSPCC.UTIL.JCL(NJSFTPD))[N]: 1 records/80 bytes read; 81 bytes written in 0.001 seconds (79.102 KBytes/sec).
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

FOTS1346 Permission denied, please try again.

debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device. (errno2=0x056201A9)

debug1: permanently_drop_suid: 0

/usr/local/coz621/bin/read_passwd_dsn.sh prompt: "NJSFTPD@10.13.98.98's password: "
fromdsn(TSOSPCC.UTIL.JCL(NJSFTPD))[N]: 1 records/80 bytes read; 81 bytes written in 0.001 seconds (79.102 KBytes/sec).
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

FOTS1373 Permission denied (gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive).


Connection closed.
[04:49:03.606068] Connection closed

[04:49:03.606157] debug1: _zos_exit(255): SSH failed to start connection (12)

CoZBatch: returning rc=exitcode=12
ChuckCottrell
Posts: 4
Joined: Wed Oct 13, 2021 8:31 am

Re: Permission Denied

Post by ChuckCottrell »

Fixed
atolosi
Posts: 7
Joined: Fri Mar 18, 2022 6:53 am

Re: Permission Denied

Post by atolosi »

What was done to correct your issue? I am have the same problem
fromdsn(xxxxxx.x.xxxL(PWD))ÝN¨: 1 records/80 bytes read; 81 bytes written in 0 m
FOTS1346 Permission denied, please try again.
atolosi
Posts: 7
Joined: Fri Mar 18, 2022 6:53 am

Re: Permission Denied

Post by atolosi »

upated post to notify me
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: Permission Denied

Post by dovetail »

This is an error message from IBM z/OS OpenSSH, which indicates that ssh authentication failed:

FOTS1346 Permission denied, please try again.

This message is from the Co:Z read_passwd_dsn.sh script, which is used to read your password and supply it to z/OS OpenSSH:

fromdsn(xxxxxx.x.xxxL(PWD))ÝN¨: 1 records/80 bytes read; 81 bytes written in 0 m

The 81 bytes written means that the password was 80 bytes, plus one byte for a line terminator.

Therefore, you should check you password.
atolosi
Posts: 7
Joined: Fri Mar 18, 2022 6:53 am

Re: Permission Denied

Post by atolosi »

I have check the password file it is FB 80 nonum
not to reveal password i x it out
xxxxxxxx
xxxxxxxx4444444444444444444444444444444444444444444444444444444444444444
xxxxxxxx0000000000000000000000000000000000000000000000000000000000000000

Also one of my team members tunning the same jcl connects while getting
1 records/80 bytes read; 81 bytes written in 0 m
use a similar pwd file
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: Permission Denied

Post by dovetail »

Sorry, I was wrong, this message doesn't mean that the password was 80 bytes:

fromdsn(xxxxxx.x.xxxL(PWD))ÝN¨: 1 records/80 bytes read; 81 bytes written in 0 ms

In older versions of Co:Z this was the password length + 1, but it was changed so that the length of the password is no longer displayed.

If you want to verify that the password is being read correctly, you can do the following from a z/OS Unix shell (logged into a userid that can read the password dataset):

> export PATH=$PATH:<coz home>/bin
> export PASSWD_DSN="HLQ.XXX(MEMBER)"
> echo /$(read_passwd_dsn.sh)/
fromdsn(HLQ.XXX(MEMBER)))[N]: 1 records/80 bytes read; 81 bytes written in 0 milliseconds.
/Test123/

The last line is the password that will be provided to /bin/ssh, enclosed in slashes.

Even if the password is correct, there might be other problems with the SSH connection authentication. The server may be prompting for something besides a password. The way to see is to do a trace of the z/OS OpenSSH client by adding "-vvv" to the cozsftp command. This trace will usually provide enough details to see why the server is not allowing the authentication to proceed.
atolosi
Posts: 7
Joined: Fri Mar 18, 2022 6:53 am

Re: Permission Denied

Post by atolosi »

Thanks the results

$ export PATH=$PATH:/usr/lpp/coz/bin
$ export PASSWD_DSN="p544at.a.cntl(pwd)"
$ echo /$(read_passwd_dsn.sh)/
/usr/lpp/coz/bin/read_passwd_dsn.sh prompt: "Enter password: "
fromdsn(Pxxxxx.CNTL(PWD))ÝN¨: 1 records/80 bytes read; 81 bytes written in 0 m
illiseconds.
/#Xxxxxx7/
$

correct password
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: Permission Denied

Post by dovetail »

Even if the password is correct, there might be other problems with the SSH connection authentication. The server may be prompting for something besides a password. The way to see is to do a trace of the z/OS OpenSSH client by adding "-vvv" to the cozsftp command. This trace will usually provide enough details to see why the server is not allowing the authentication to proceed.
atolosi
Posts: 7
Joined: Fri Mar 18, 2022 6:53 am

Re: Permission Denied

Post by atolosi »

not being to firmiliar with this could you tell me how to specify -vvv for the trace?
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: Permission Denied

Post by dovetail »

It depends on how you are invoking cozsftp.
If you are using our sample JCL and scripts: https://dovetail.com/docs/sftp/client.html#client-batch

then add:

sftp_opts="$sftp_opts -vvv"

You might first want to try running cozsftp interactively, from a Unix shell with the same z/OS userid as the batch job.

> cozsftp -vvv user@host

try entering the password interactively and see if you can log in.

Note: for interatively entering passwords, log on to a z/OS Unix shell using ssh (like PuTTY from Windows). The TSO OMVS shell won't allow you to enter secure passwords for z/OS OpenSSH.
atolosi
Posts: 7
Joined: Fri Mar 18, 2022 6:53 am

Re: Permission Denied

Post by atolosi »

1
CoZBatchÝN¨: version: 6.2.1 2021-01-15
CoZBatchÝN¨: Copyright (C) Dovetailed Technologies, LLC. 2005-2021. All rights reserved.
<- ()
CoZBatchÝI¨: executing progname=login-shell="-/bin/sh"
Connect using SSH_ASKPASS, password will be read from xxxxx.x.xxxx(PWD)...
Executing: /usr/lpp/coz/bin/cozsftp -oBatchMode=no -oConnectTimeout=60 -oServerAliveInterval=60 -oPubkeyAuthentication=
no -oStrictHostKeyChecking=no -vvv -b- 'pxxxxx@10.225.199.2'
Co:Z SFTP version: 6.2.1 (7.6p1) 2021-01-15
Copyright (C) Dovetailed Technologies, LLC. 2008-2021. All rights reserved.
Connecting to xx.xxx.xxx.x...
Ý13:17:50.677200¨ debug3: connect_to_server arg=/bin/ssh

Ý13:17:50.677231¨ debug3: connect_to_server arg=-oForwardX11 no

Ý13:17:50.677251¨ debug3: connect_to_server arg=-oForwardAgent no

Ý13:17:50.677254¨ debug3: connect_to_server arg=-oClearAllForwardings yes

Ý13:17:50.677260¨ debug3: connect_to_server arg=-o

Ý13:17:50.677265¨ debug3: connect_to_server arg=BatchMode=no

Ý13:17:50.677268¨ debug3: connect_to_server arg=-o

Ý13:17:50.677271¨ debug3: connect_to_server arg=ConnectTimeout=60

Ý13:17:50.677273¨ debug3: connect_to_server arg=-o

Ý13:17:50.677276¨ debug3: connect_to_server arg=ServerAliveInterval=60

Ý13:17:50.677279¨ debug3: connect_to_server arg=-o

Ý13:17:50.677282¨ debug3: connect_to_server arg=PubkeyAuthentication=no

Ý13:17:50.677284¨ debug3: connect_to_server arg=-o

Ý13:17:50.677288¨ debug3: connect_to_server arg=StrictHostKeyChecking=no

Ý13:17:50.677290¨ debug3: connect_to_server arg=-v

Ý13:17:50.677303¨ debug3: connect_to_server arg=-v

Ý13:17:50.677306¨ debug3: connect_to_server arg=-v

Ý13:17:50.677318¨ debug3: connect_to_server arg=-obatchmode yes

Ý13:17:50.677321¨ debug3: connect_to_server arg=-l

Ý13:17:50.677323¨ debug3: connect_to_server arg=p544at

Ý13:17:50.677326¨ debug3: connect_to_server arg=-oProtocol 2

Ý13:17:50.677371¨ debug3: connect_to_server arg=-s

Ý13:17:50.677423¨ debug3: connect_to_server arg=--

Ý13:17:50.677528¨ debug3: connect_to_server arg=10.225.199.2

Ý13:17:50.677551¨ debug3: connect_to_server arg=sftp

Ý13:17:50.685674¨ debug2: setting ssh _CEE_RUNOPTS=HEAP(12M,1M,,FREE),ENVAR("_CEE_REALLOC_CONTROL=256K,25")

OpenSSH_7.6p1, LibreSSL 3.0.2

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Reading configuration data /etc/ssh/zos_ssh_config

debug3: setUseZEDC: 0

debug1: zsshSmfSetConnSmfStatus: SMF status is 0

debug2: resolving "xx.xxx.xxx.x" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to xx.xxx.xxx.x Ýxx.xxx.xxx.x¨ port 22.

debug2: fd 3 setting O_NONBLOCK

debug1: fd 3 clearing O_NONBLOCK

debug1: Connection established.

debug1: cipher_init: none from source none, used in non-FIPS mode

debug1: cipher_init: none from source none, used in non-FIPS mode

debug3: zssh_packet_configure_socket: current getsockopt(3, SOL_SOCKET,SO_SNDBUF) = 65535

debug3: zssh_packet_configure_socket: setsockopt(3, SOL_SOCKET, SO_SNDBUF, 65536) succeeded

debug3: zssh_packet_configure_socket: current getsockopt(3, SOL_SOCKET,SO_RCVBUF) = 65535

debug3: zssh_packet_configure_socket: setsockopt(3, SOL_SOCKET, SO_RCVBUF, 65536) succeeded

debug3: timeout: 58319 ms remain after connect

debug3: zsshGetpw: passwd name=Pxxxxx, uid=107079, gid=0, dir=/u/p544at, shell=/bin/sh

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxx/.ssh/id_rsa type -1

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxx/.ssh/id_rsa-cert type -1

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxx/.ssh/id_dsa type -1

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxx/.ssh/id_dsa-cert type -1

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxx/.ssh/id_ecdsa type -1

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxx/.ssh/id_ecdsa-cert type -1

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxxt/.ssh/id_ed25519 type -1

debug1: key_load_public: EDC5129I No such file or directory. (errno2=0x05620062)

debug1: identity file /u/xxxxxx/.ssh/id_ed25519-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.6

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6

debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to xx.xxx.xxx.x:22 as 'xxxxxx'

debug3: hostkeys_foreach: reading file "/u/xxxxxxt/.ssh/known_hosts"

debug3: record_hostkey: found key type RSA in file /u/xxxxxx/.ssh/known_hosts:142

debug3: record_hostkey: found key type RSA in file /u/xxxxxx/.ssh/known_hosts:144

debug3: load_hostkeys: loaded 2 keys from xx.xxx.xxx.x

debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-n
istp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-
group-exchange-
sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01
@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@open
ssh.com,ecdsa-s
ha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@open
ssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@open
ssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-n
istp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-
group-exchange-
sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@o
penssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@o
penssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@open
ssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@open
ssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: algorithm: curve25519-sha256

debug1: choose_kex: curve25519-sha256 from source OpenSSL, used in non-FIPS mode

debug1: kex: host key algorithm: rsa-sha2-512

debug1: mac_setup_by_alg: umac-64-etm@openssh.com from source OpenSSL, used in non-FIPS mode

debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none

debug1: mac_setup_by_alg: umac-64-etm@openssh.com from source OpenSSL, used in non-FIPS mode

debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ssh-rsa SHA256:KTYzPqgQjDlG+YbA5VF8432xZ/T0RUWLSq0Df+z1yUU

debug3: hostkeys_foreach: reading file "/u/xxxxxx/.ssh/known_hosts"

debug3: record_hostkey: found key type RSA in file /u/xxxxxx/.ssh/known_hosts:142

debug3: record_hostkey: found key type RSA in file /u/xxxxxx/.ssh/known_hosts:144

debug3: load_hostkeys: loaded 2 keys from xx.xxx.xxx.x

debug1: Host 'xx.xxx.xxx.x' is known and matches the RSA host key.

debug1: Found key in /u/xxxxxx/.ssh/known_hosts:142

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: cipher_init: aes128-ctr from source CPACF, used in non-FIPS mode

debug1: rekey after 4294967296 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: cipher_init: aes128-ctr from source CPACF, used in non-FIPS mode

debug1: rekey after 4294967296 blocks

debug2: key: /u/xxxxxx/.ssh/id_rsa (0)

debug2: key: /u/xxxxxx/.ssh/id_dsa (0)

debug2: key: /u/xxxxxx/.ssh/id_ecdsa (0)

debug2: key: /u/xxxxxx/.ssh/id_ed25519 (0)

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,e
cdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password

debug3: start over, passed a different list publickey,password

debug3: preferred keyboard-interactive,password

debug3: authmethod_lookup password

debug3: remaining preferred: ,password

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device. (errno2=0x056201A9)

debug1: permanently_drop_suid: 107079

/usr/lpp/coz/bin/read_passwd_dsn.sh prompt: "xxxxxx@xx.xxx.xxx.x's password: "
13.17.52 S0173097 JHN302I Performance Essential NonVSAM Component is Active
fromdsn(PxxxxxA.xxx(PWD))ÝN¨: 1 records/80 bytes read; 81 bytes written in 0 milliseconds.
debug3: send packet: type 50

debug2: we sent a password packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

FOTS1346 Permission denied, please try again.

debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device. (errno2=0x056201A9)

debug1: permanently_drop_suid: 107079

/usr/lpp/coz/bin/read_passwd_dsn.sh prompt: "xxxxxx@xx.xxx.xxx.x2's password: "
13.17.52 S0164463 JHN302I Performance Essential NonVSAM Component is Active
fromdsn(Pxxxxxx.CNTL(PWD))ÝN¨: 1 records/80 bytes read; 81 bytes written in 0 milliseconds.
debug3: send packet: type 50

debug2: we sent a password packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

FOTS1346 Permission denied, please try again.

debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device. (errno2=0x056201A9)

debug1: permanently_drop_suid: 107079

/usr/lpp/coz/bin/read_passwd_dsn.sh prompt: "xxxxxx@xx.xxx.xxx.x's password: "
13.17.53 S0157311 JHN302I Performance Essential NonVSAM Component is Active
fromdsn(xxxxxx.x.xxxx(PWD))ÝN¨: 1 records/80 bytes read; 81 bytes written in 0 milliseconds.
debug3: send packet: type 50

debug2: we sent a password packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

FOTS1373 xxxxxx@xx.xxx.xxx.x: Permission denied (publickey,password).

debug3: zsshZertSetAttributes(5): SECATTR_IOCTL: 010205000000113c0000000038b7f5e0c9c2d440d6978595e2e2c840404040400000000
0000000000000000000000000

debug3: zsshZertSetAttributes(5): _SECATTR_SSH_SPEC: 0200c00000000000e2c6e3d7c340404000020000000f00110013000f00110013000
100000001000000000000

debug3: zERT SIOCSECATTR failed: EDC5247I Operation not supported. (errno2=0x76647365)

Ý13:17:53.157063¨ Connection closed

Ý13:17:53.157110¨ debug1: _zos_exit(255): SSH failed to start connection (12)

CoZBatchÝI¨: returning rc=exitcode=12
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: Permission Denied

Post by dovetail »

From the trace, the server is prompting for the password using: "xxxxxx@xx.xxx.xxx.x's password: "
The client is sending the password three times and all are being rejected by the server.

Note: There are 3 tries, since that's the default for z/OS OpenSSH.
This is not the problem, but you should probably just try once, by adding this to your SFTPIND (Installation defaults) member used by your proc.

sftp_opts="$sftp_opts -oNumberOfPasswordPrompts=1"


It's hard to say why the login is failing, but it could be either:

- the password is not valid
- the server has disabled the userid
- the server has blacklisted the client ip
- some other server issue

FIRST, verify that you can make an interactive sftp connection from the same z/OS LPAR to this user@server -

Login with an SSH terminal to z/OS Unix so that you can interactively enter a password.
Note: The z/OS OpenSSH client won't allow passwords with TSO OMVS. From Windows, you might use PuTTY to connect via ssh to z/OS Unix.

Then, try an interactive connection using the IBM sftp client:

zos> sftp -vvv xxxxxx@xx.xxx.xxx.xxx

When prompted enter your password.
Post Reply