SFTP TO VIPA-(CLUSTERED HOSTS)

Discussion of the COZBATCH utility for z/OS
Post Reply
TSGHOS
Posts: 20
Joined: Fri Oct 15, 2010 8:55 am

SFTP TO VIPA-(CLUSTERED HOSTS)

Post by TSGHOS »

Hello,

We are trying to SFTP to a VIPA address which is the cluster address of several hosts and we are getting the following results :

1.First attempt to the VIPA address works - HOSTA A chosen

2.Second attempt fails. This is because HOST B is chosen and the id is different.Partial output from the trace :

debug3: check_host_in_hostfile: filename /u/tsghos/.ssh/known_hosts

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

@ FOTS1317 WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Is it possible to SFTP to a VIPA address that routes the sessions to several hosts that sit behind the address ?

We use the following option : ssh_opts="£ssh_opts -oStrictHostKeyChecking=no"

We are using Password Authentication .

Regards
Hanif Osman
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: SFTP TO VIPA-(CLUSTERED HOSTS)

Post by dovetail »

If you have a cluster of hosts each running a SSHD server from a VIPA, then they must all use the same matching host key pairs.

So, for example, if you are running OpenSSH on these servers, then the keys pointed to by "HostKey" in /etc/ssh/sshd_config must match.

This is because the client will get a random server from the VIPA, and the client will check the server's host key to see that it is as expected - so all of the sshd servers behind the VIPA must use the same host keys.

Unless you have changed the default file names, these files are named:

/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa.key.pub


It is also possible to run two instances of sshd on each of these servers - one to service the individual server and one to serve the vipa. These would need to run either on different ports or on different network interfaces. Each sshd daemon would point to a different sshd_config file (using the -F option when starting sshd). Each sshd_config file could point to different sets of host keys.

For more information on OpenSSH Host key authentication, see our webinar: "IBM Ported Tools for z/OS: OpenSSH - Key Authentication" here: http://dovetail.com/webinars.html
TSGHOS
Posts: 20
Joined: Fri Oct 15, 2010 8:55 am

Re: SFTP TO VIPA-(CLUSTERED HOSTS)

Post by TSGHOS »

Hello,

Thank you very much for the prompt update.

Regards
dmbru1
Posts: 6
Joined: Thu Apr 17, 2014 8:17 am

Re: SFTP TO VIPA-(CLUSTERED HOSTS)

Post by dmbru1 »

instead of cut and paste if you need to add a key to the known hostst you can FTP it with certain options
save the key as .txt
save to a drive on your pc
ftp in ascii to IBM
quote site lrecl=600 - otherwise the site's default lrecl in ftpdata may be 256 or similar and too small so truncating the key
quote site sbsendeol=none
this stops carriage return line feeds messing up the key
then ftp the key.txt to either 'data.set' or /u/userid/.ssh/knownhosts
Daniel
Posts: 3
Joined: Wed Jan 22, 2014 10:46 am

Re: SFTP TO VIPA-(CLUSTERED HOSTS)

Post by Daniel »

A fast (and of course very unsecure :wink: ) way to solve the problem with different SSHD server keys of VIPA clustered servers is to use the following parameter setting:

Code: Select all

ssh-options=-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null
Post Reply