sftp when using HTTP proxy server

[nolting]

Our network people are implementing new HTTP proxy servers which are negating our previous z/OS communication to IBM. I have been able to access TESTCASE.BOULDER.IBM.COM for upload from WinSCP specifying only the new HTTP proxy.

I am now trying z/OS OpenSSH sftp command trying to use the following command getting ProxyCommand command not found error.

SYSE21:/u/tec1002/.ssh# sftp -o ProxyCommand='/usr/bin/nc -v -x www-proxy-hqdc.us.oracle.com:80' anonymous@testcase.boulder.us.ibm
Connecting to testcase.boulder.us.ibm...
/usr/bin/nc: Command not found.
FOTS1338 ssh_exchange_identification: Connection closed by remote host
FOTS0841 Connection closed
SYSE21:/u/tec1002/.ssh#

Would anyone have any suggestions on the above sftp error?

If not, would Co:Z sftp allow me to run from USS or batch and connect to IBM specifying z/OS datasets and/or USS files?

Thanks in advance,
Jon

[dovetail]

IBM does not provide a "nc" (netcat) command with z/OS.

We have a proxy command that is designed to use with OpenSSH on z/OS for this purpose.
You can download it free from here: https://dovetail.com/community/sshproxyc.html

[nolting]

Thanks for the response.

If I understand correctly, the "nc" command not found is coming from z/OS USS and not the HTTP proxy? That would make sense. I will look at your download immediately.

Again, thanks so much!

[nolting]

Apologize for my ignorance and confusion.

I have tried to download ssh-proxyc both inside and outside Oracle's VPN network. When I click the download button, I get a tab with what appears to be the actual PAX'd binary. I normally would be asked to download and where to put the file.

When I try and download the Installation Guide and Release Notes, this time it places coz-5.0.0 into the Windows download directory.

What am I doing wrong in trying to downlog ssh-proxyc?

[dovetail]

Apparently your browser is configured to view the .pax file rather than select a download location.
Try "Save as" on the last download button for the .pax file

[nolting]

Thanks again for your help! I was able to SAVE AS the download file as ssh-proxyc.pax, upload it in binary and extract it into a z/OS 2.2 USS filesystem.

I ran the using your code and get the following:

SYSE22:/u/tec1002/bin# sftp -o ProxyCommand='/u/tec1002/bin/ssh-proxyc -v -p www-proxy-hqdc.us.oracle.com:80' anonymous@testcase.boulder.us.ibm
Co:Z ssh-proxyc version: 1.0.1 2017-01-05
Copyright (C) Dovetailed Technologies, LLC. 2016-2017. All rights reserved.
usage: ssh-proxyc [-46Ehv] -p proxy_address[:port] destination [port]
FOTS1338 ssh_exchange_identification: Connection closed by remote host
FOTS0841 Connection closed
SYSE22:/u/tec1002/bin#

I am missing some Oracle history and not sure what version of OpenSSH sftp is currently available. I also see there is a requirement which I still need to research. Based on your experience with the error above, any ideas as I dig deeper?

•z/OS V2R2 OpenSSH with PTF UA79909 (or later releases)

[nolting]

Dug deeper and now see the requirement for UA79909 which is an add-on to HOS2220 and allows the FDpass option.

We're having IBMLINK problems but am trying to get that PTF and will try again. Slow but sure but I think I am getting closer.

[dovetail]

Also, the error that you are getting:

usage: ssh-proxyc [-46Ehv] -p proxy_address[:port] destination [port]

means that your ssh-proxy command is not correct.
See the README for correct usage.

[nolting]

Yes. Found that when running the following:

SYSE22:/u/tec1002# sftp -o ProxyUseFDpass -o ProxyCommand='/u/tec1002/bin/ssh-proxyc -E -v -p www-proxy-hqdc.us.oracle.com:80' -v anonymous@testcase.boulder.us.ibm
FOTS1388 command-line: line 0: Bad configuration option: ProxyUseFDpass
FOTS0841 Connection closed

Now I'm working on getting the required PTF for FDpass.


Also, can you confirm that sftp once all the pieces are in place will only support USS filesystem files and NOT TSO files?

[nolting]

Could I ask some help again? I have the OpenSSH sftp command along with ssh_proxyc from Dovetailed Tech. I now have the OpenSSH required PTF installed and am now getting the following error when trying to connect to TESTCASE.BOULDER.IBM.COM.

I am not sure I have all the parameters set correctly. Any suggestions on what might be wrong? I also have the WinSCP sftp log of a connection which worked to the same IBM site with the same HTTP proxy. Appreciate any guidance that can be provided.

SYSE22:/u/tec1002# sftp -24 -vv -o ProxyUseFDpass=yes -o ProxyCommand='/u/tec1002/bin/ssh-proxyc -E -v -p www-proxy-hqdc.us.oracle.com:80' anonymous@testcase.boulder.us.ibm 80
OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: mac_setup: found hmac-sha1-etm@openssh.com
debug2: mac_setup: found hmac-sha2-256-etm@openssh.com
debug2: mac_setup: found hmac-sha2-512-etm@openssh.com
debug2: mac_setup: found hmac-sha1-96-etm@openssh.com
debug2: mac_setup: found hmac-sha1
debug2: mac_setup: found hmac-sha2-256
debug2: mac_setup: found hmac-sha2-512
debug2: mac_setup: found hmac-sha1-96
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug2: mac_setup: found hmac-md5-96-etm@openssh.com
debug2: mac_setup: found hmac-md5
debug2: mac_setup: found hmac-md5-96
debug2: mac_setup: found umac-64-etm@openssh.com
debug2: mac_setup: found umac-128-etm@openssh.com
debug2: mac_setup: found hmac-ripemd160-etm@openssh.com
debug2: mac_setup: found umac-64@openssh.com
debug2: mac_setup: found umac-128@openssh.com
debug2: mac_setup: found hmac-ripemd160
debug2: mac_setup: found hmac-ripemd160@openssh.com
debug1: Reading configuration data /etc/ssh/zos_ssh_config
debug1: zsshSmfSetConnSmfStatus: SMF status is 0
debug2: ssh_connect: needpriv 0
debug1: Executing proxy dialer command: exec /u/tec1002/bin/ssh-proxyc -E -v -p www-proxy-hqdc.us.oracle.com:80
debug1: permanently_drop_suid: 0
Co:Z ssh-proxyc version: 1.0.1 2017-01-05
Copyright (C) Dovetailed Technologies, LLC. 2016-2017. All rights reserved.
usage: ssh-proxyc [-46Ehv] -p proxy_address[:port] destination [port]
FOTS2080 mm_receive_fd: recvmsg: expected received 1 got 0
FOTS3339 proxy dialer did not pass back a connection
debug1: zsshSmfSetConnSmfStatus: SMF status is 0
FOTS0841 Connection closed
SYSE22:/u/tec1002#

[dovetail]

Your ssh-proxyc command is not valid.
Take a look at the README for valid syntax:
https://dovetail.com/docs/sshproxyc/readme.html

I am guessing that you need something like:

sftp -vv -oProxyUseFDpass=yes -oProxyCommand='/u/tec1002/bin/ssh-proxyc -v -p www-proxy-hqdc.us.oracle.com:80 %h %p' anonymous@testcase.boulder.ibm.com

[njd]

Hi,

Do you have an example of using COZSFTP to run the following with ssh-proxyc?

sftp -vv -oProxyUseFDpass=yes -oProxyCommand='/u/tec1002/bin/ssh-proxyc -v -p www-proxy-hqdc.us.oracle.com:80 %h %p' anonymous@testcase.boulder.ibm.com

Many thanks

[dovetail]

ssh-proxyc supports SOCKS5 proxy servers, not HTTP proxy servers.
Sorry for the confusion.

For more information, see: https://dovetail.com/community/sshproxyc.html