Hello,
when trying to access an SFTP server via sftp client in batch I get the following permission denied problem:
CoZBatchÕNþ: version: 5.6.0 2019-08-20
CoZBatchÕNþ: Copyright (C) Dovetailed Technologies, LLC. 2005-2019. All rights reserved.
CoZBatchÕIþ: executing progname=login-shell="-/bin/sh"
- - - - - - - - - - - - - - - - - - - - - - - - - - -
- Aufruf der ISPF-Shell im TSO: GO ISHELL -
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Dieses IT-System darf ausschliesslich fuer die Durchfuehrung von
Aufgaben genutzt werden, die im Hauptvertrag HERKULES festgelegt
oder von der Bundeswehr fuer diesen Zweck autorisiert worden sind.
Run .profile for user USERID
Connect using SSH_ASKPASS, password will be read from USERID.COZ.PARMLIB.DATA(PW)...
Executing: /tst/rct20a1/usr/lpp/coz/bin/cozsftp -oBatchMode=no -oConnectTimeout=60 -oServerAliveInterval=60
-oNumberOfPasswordPrompts=1 -oStrictHostKeyChecking=yes -oPubkeyAuthentication=no -oBatchMode=yes -oPort=2222 -b-
'USERIDXXX.XXX.XXX.XXX'
Co:Z SFTP version: 5.6.0 (6.4p1) 2019-08-20
Copyright (C) Dovetailed Technologies, LLC. 2008-2019. All rights reserved.
Connecting to XXX.XXX.XXX.XXX...
WELCOME TO SFTPšš
password
Enter password for USERID
/tst/rct20a1/usr/lpp/coz/bin/read_passwd_dsn.sh prompt: "Password:"
fromdsn(USERID.COZ.PARMLIB.DATA(PW))ÕNþ: 1 records/80 bytes read; 81 bytes written in 0.002 seconds (39.551
KBytes/sec).
/tst/rct20a1/usr/lpp/coz/bin/read_passwd_dsn.sh prompt: "USERIDXXX.XXX.XXX.XXX's password: "
fromdsn(USERID.COZ.PARMLIB.DATA(PW))ÕNþ: 1 records/80 bytes read; 81 bytes written in 0.001 seconds (79.102
KBytes/sec).
FOTS1373 Permission denied (password,publickey,keyboard-interactive).
Õ81.988þ Connection closed
CoZBatchÕIþ: returning rc=exitcode=255
(Userid and IP-addresses are anonymized)
When using the client in an interactive PuTTY session it runs without problems. Any help is appreciated.
Kind regards.
Juergen
Problem using sftp client
Re: Problem using sftp client
See this message:
fromdsn(USERID.COZ.PARMLIB.DATA(PW))ÕNþ: 1 records/80 bytes read; 81 bytes written in 0.001 seconds
It means that your password give to OpenSSH was 80 bytes in length.
This is probably an error caused by line numbers in the password data set.
fromdsn(USERID.COZ.PARMLIB.DATA(PW))ÕNþ: 1 records/80 bytes read; 81 bytes written in 0.001 seconds
It means that your password give to OpenSSH was 80 bytes in length.
This is probably an error caused by line numbers in the password data set.
Re: Problem using sftp client
Hello,
thanks for your fast response. Unfortunately this hint doesn't solve the problem, because of several reasons:
1. The dataset doesn't contain any line numbers, it only contains the password and all trailing blanks. Furthermore I tried to use a dataset with LRECL=8 which is the length of the password to avoid any possible wrong characters, but I get the same result.
2. I used the standard shell script read_passwd_dsn.sh which comes with the product for reading the password from the dataset. As far as I can see this script contains some logic to ignore possible line numbers starting in coulumn 73, so even there was a line number there it should be ignored.
3. To avoid possible code page problems I used the EBCDIC representation as well as the ASCII representation of the password, but that doesn't help as well.
So, how to go further?
Kind regards.
Juergen
thanks for your fast response. Unfortunately this hint doesn't solve the problem, because of several reasons:
1. The dataset doesn't contain any line numbers, it only contains the password and all trailing blanks. Furthermore I tried to use a dataset with LRECL=8 which is the length of the password to avoid any possible wrong characters, but I get the same result.
2. I used the standard shell script read_passwd_dsn.sh which comes with the product for reading the password from the dataset. As far as I can see this script contains some logic to ignore possible line numbers starting in coulumn 73, so even there was a line number there it should be ignored.
3. To avoid possible code page problems I used the EBCDIC representation as well as the ASCII representation of the password, but that doesn't help as well.
So, how to go further?
Kind regards.
Juergen
Re: Problem using sftp client
Something strange is going on, since you seem to be getting two password prompts from the server.
The second one is odd:
USERIDXXX.XXX.XXX.XXX's password:
Is XXX.XXX.XXX.XXX the host IP address that you put on the command?
If so, you have something wrong. This message should only print the userid.
the syntax should be: userid@host.
For example: userid@192.168.0.1
I can't figure out what you have since you seemed to be editing/masking the actual output.
You will need to add "-vvv" to the command to turn on tracing to collect more complete information.
If you want, you can email this trace to info@dovetail.com and we will take a look.
The second one is odd:
USERIDXXX.XXX.XXX.XXX's password:
Is XXX.XXX.XXX.XXX the host IP address that you put on the command?
If so, you have something wrong. This message should only print the userid.
the syntax should be: userid@host.
For example: userid@192.168.0.1
I can't figure out what you have since you seemed to be editing/masking the actual output.
You will need to add "-vvv" to the command to turn on tracing to collect more complete information.
If you want, you can email this trace to info@dovetail.com and we will take a look.
Re: Problem using sftp client
Hello,
thanks for your last message. As requested I'll send the complete log using the -vvv option to the given e-mail address. Here is the protocol for the working login using interactive mode with PuTTY:
R1S1:x123456:/u/x123456:>cozsftp -P 2222 x123456@123.456.789.012
Co:Z SFTP version: 5.6.0 (6.4p1) 2019-08-20
Copyright (C) Dovetailed Technologies, LLC. 2008-2019. All rights reserved.
Connecting to 123.456.789.012...
WELCOME TO SFTP!!
password
Enter password for x123456
Password:
Connected to 123.456.789.012.
Connection established, local_addr=987.654.321.098 local_port=6478 remote_addr=123.456.789.012 remote_port=2222
cozsftp> ls -l
drwxr--r-x 1 0 0 1 Jan 07 07:46 FROMIBM
drwxr--r-x 1 0 0 1 Jan 07 07:46 ORDERNUMMER
drwxr--r-x 1 0 0 1 Jan 07 07:46 TOIBM
cozsftp> exit
R1S1:x123456:/u/x123456:>
In both documents is real userid is replaced by x123456 and the target IP-address by 123.456.789.012 .
Kind regards.
Juergen
thanks for your last message. As requested I'll send the complete log using the -vvv option to the given e-mail address. Here is the protocol for the working login using interactive mode with PuTTY:
R1S1:x123456:/u/x123456:>cozsftp -P 2222 x123456@123.456.789.012
Co:Z SFTP version: 5.6.0 (6.4p1) 2019-08-20
Copyright (C) Dovetailed Technologies, LLC. 2008-2019. All rights reserved.
Connecting to 123.456.789.012...
WELCOME TO SFTP!!
password
Enter password for x123456
Password:
Connected to 123.456.789.012.
Connection established, local_addr=987.654.321.098 local_port=6478 remote_addr=123.456.789.012 remote_port=2222
cozsftp> ls -l
drwxr--r-x 1 0 0 1 Jan 07 07:46 FROMIBM
drwxr--r-x 1 0 0 1 Jan 07 07:46 ORDERNUMMER
drwxr--r-x 1 0 0 1 Jan 07 07:46 TOIBM
cozsftp> exit
R1S1:x123456:/u/x123456:>
In both documents is real userid is replaced by x123456 and the target IP-address by 123.456.789.012 .
Kind regards.
Juergen
Re: Problem using sftp client
You are correct - the later versions of the read_passwd_dsn do try to trim trailing line numbers from the password line.
So the "80" coming from fromdsn is probably not the end result password string.
From the trace, it looks like your password is actually 15 characters - correct?
Note: Co:Z SFTP uses IBM z/OS OpenSSH for its underlying secure connection. OpenSSH is where the authentication occurs - we only support this script as a batch way of providing a password to IBM z/OS OpenSSH.
With z/OS OpenSSH, this password should be in EBCDIC in the password dataset. I suspect that what might be happening is that you are using a different EBCDIC encoding that what IBM z/OS OpenSSH supports. It only supports converting from IBM-1047 to ISO8859-1.
If this isn't the encoding that you expect, then this would explain your problem.
So the "80" coming from fromdsn is probably not the end result password string.
From the trace, it looks like your password is actually 15 characters - correct?
Note: Co:Z SFTP uses IBM z/OS OpenSSH for its underlying secure connection. OpenSSH is where the authentication occurs - we only support this script as a batch way of providing a password to IBM z/OS OpenSSH.
With z/OS OpenSSH, this password should be in EBCDIC in the password dataset. I suspect that what might be happening is that you are using a different EBCDIC encoding that what IBM z/OS OpenSSH supports. It only supports converting from IBM-1047 to ISO8859-1.
If this isn't the encoding that you expect, then this would explain your problem.
Re: Problem using sftp client
Hello,
yes the codepage was the problem! We're here using codepage 1141 and the password contains an "!" (exclamation mark) which was ascii hex 21. If I use our ebcdic exclamation mark on the z/OS side which is hex 4f it's converted to ascii 7c (vertical bar). I have to use ebcdic "Ü" (upper german umlaut ü) which is hex 5a, so this is converted correctly.
Now the job works fine. Thanks a lot for your help.
Kind regards
Juergen
yes the codepage was the problem! We're here using codepage 1141 and the password contains an "!" (exclamation mark) which was ascii hex 21. If I use our ebcdic exclamation mark on the z/OS side which is hex 4f it's converted to ascii 7c (vertical bar). I have to use ebcdic "Ü" (upper german umlaut ü) which is hex 5a, so this is converted correctly.
Now the job works fine. Thanks a lot for your help.
Kind regards
Juergen