Not getting Authentication Succeeded after server accepts ke

[aramsey]

We are trying to convert an OpenSSH SFTP client batch job to a Co:Z SFTP client batch job. We have never experienced the problem that we are currently experiencing in any other C0:Z SFTP client batch jobs.

When we use the straight SFTP client we get:
debug2: key: /u/cdpprod/experian/.ssh/id_rsa (298950B0)
debug2: key: /u/cdpprod/.ssh/id_rsa (298A0378)
debug2: key: /u/cdpprod/.ssh/id_dsa (298A19E0)
debug2: key: /u/cdp0021/experian/.ssh/id_dsa (0)
debug3: input_userauth_banner
This System Is For Authorized Users Only.
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /u/cdpprod/experian/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp 95:07:d8:cc:c4:e2:00:86:e1:9fd6:d4:73:c0:bf
debug3: sign_and_send_pubkey
debug1: Authentication succeeded (publickey).

When we use Co:Z SFTP we get:
debug2: key: /u/cdpprod/experian/.ssh/id_rsa (298950B0)
debug2: key: /u/cdpprod/.ssh/id_rsa (298A0378)
debug2: key: /u/cdpprod/.ssh/id_dsa (298A19E0)
debug2: key: /u/cdpprod/experian/.ssh/id_dsa (0)
debug3: input_userauth_banner
This System Is For Authorized Users Only.
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /u/cdpprod/experian/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp 95:07:d8:cc:c4:e2:00:86:e1:9fd6:d4:73:c0:bf
debug3: sign_and_send_pubkey
debug1: Authentications that can continue: publickey,password,keyboard-interactive
..and so on until we get -
debug1: No more authentication methods to try.
debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat
FOTS1373 Permission denied (publickey,password,keyboard-interactive).
[00365] Connection closed

We are using the same userid, same key (private key is passphrase protected), the same ssh_config clientfile, and I would have to assume that the it is the same sshd_config file on the server. I cannot figure out what is going on between the server acepting the key and the Authentication Succeeded message that would cause us not to get the Authentication Succeeded message when using Co:Z. I have to believe that there is something different in the code that occurs when using Co:Z as opposed to straight SFTP since it works fine with the straight SFTP.

We get the following message on the remote protocol used. Maybe this is an issue with Co:Z?
debug1: Remote protocol version 2.0, remote software version SSHD
debug1: no match: SSHD

Please let me know what else I can provide to you that might help to resolve this issue.


Thank you.

[dovetail]

Co:Z SFTP uses the same Ported Tools OpenSSH "ssh" command that the Ported Tools "sftp" uses, so perhaps there is a difference in how your jobs are configured.

Are you using the same script to execute sftp and cozsftp? If not, what differences are there? Are there differences in the ssh options (-oEtc, etc) or other command line switches?

[aramsey]

I can't see any differences, and I have certainly looked for them! Of course our method for configuring the batch jobs is different between the two - I will provide you with what I am submitting, and perhaps you can see what I am missing!

The SFTP job:
//CDP0021E JOB acctg info
//SFTP EXEC PGM=BPXBATCH,
// PARM='PGM /u/sftp/jobname/sftpexp',
// COND=(01,LT)
//STDOUT DD PATH='/u/sftp/jobname/STDOUT',
// PATHOPTS=(OWRONLY,OTRUNC),PATHMODE=SIRWXU
//STDERR DD PATH='/u/sftp/jobname/STDERR',
// PATHOPTS=(OWRONLY,OTRUNC),PATHMODE=SIRWXU
//STDENV DD DSN=TCPIP.USER.ENVVAR.SFTP,DISP=SHR


Where /u/sftp/jobname/sftpexp contains:
#!/bin/sh
# locate & point to SSH-AGENT
. /etc/sshagent/agent-info

sftp -vvv -b /u/sftp/jobname/sftp.input -F
/u/cdpprod/experian/.ssh/ssh_config2

and /u/sftp/jobname/sftp.input contains:
pwd
ls
pwd
ls
quit


The Co:Z job:
//CDP0021A JOB accting info
//SFTP EXEC PGM=COZBATCH,REGION=40M,PARM=(-LD)
//STEPLIB DD DSN=TCPIP.COZ.LOADLIB,DISP=SHR
//STDIN DD DSN=CDP0021.JCLLIB(EXP2),DISP=SHR
/*
//STDENV DD DSN=TCPIP.USER.ENVVAR.SFTP,DISP=SHR
//SYSOUT DD SYSOUT=*
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*

Where CDP0021.JCLLIB(EXP2) contains:
. /etc/sshagent/agent-info
ssh_opts="-F /u/cdpprod/experian/.ssh/ssh_config2"
/sftp/coz/bin/cozsftp -vvv $ssh_opts -b- nedmv@stm.experian.com
<<EOB
lzopts mode=text
dir
quit
EOB

I know the commands to issue are not exactly the same, but we don't get that far anyway. Do you see anything that would cause this to behave differently?

I realize that I am at a back-level of Co:Z (1.5), but I didn't see anything in the Revision History for more current versions that would address this, if it were Co:Z related. This does bring me to another unrelated question that I hope you don't mind if I ask here - How frequently do you recommend updating the tool? Updates are available quite frequently, and an upgrade has been on my list of things to do for a while, but just wondering what you recommend.


Thank you!

[aramsey]

I just noticed that I had missed the userid piece in my copy/paste of
/u/sftp/jobname/sftpexp

When I went to include it in this update, I noticed it was a different userid!
What an obvious difference that I missed. I had been copying all of this from the individual responsible for the jobs and thought I had looked at all of the obvious, but I had not!!

So my problem is resolved, thanks for offering the second pair of eyes that made my eyes look closer!

I would like to know the answer to my other question in my last update though - how often do you recommend upgrading Co:Z to a new release?

Thanks!
Ann