Hi support forum
again tried to use the following
//PROCLIB JCLLIB ORDER='SCB.COZ0000.C.SAMPJCL'
//RUNCOZ EXEC PROC=COZPROC,ARGS='xca1550§mvsv.mvsbrz.fiducia.de'
//COZCFG DD *
ssh-options=-vvv
//STDIN DD *
uname -a
env
i get
CoZLauncher[N]: version: 1.3.0 2009-06-11
CoZLauncher[N]: Copyright (C) Dovetailed Technologies, LLC. 2006. All rights reserved.
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to mvsv.mvsbrz.fiducia.de [10.253.212.33] port 22.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/xca1550/.ssh/identity type -1
debug1: identity file /home/xca1550/.ssh/id_rsa type -1
debug1: identity file /home/xca1550/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysat
or.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysat
or.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysat
or.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysat
or.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 504/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/xca1550/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /home/xca1550/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /home/xca1550/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 0 for host mvsv.mvsbrz.fiducia.de
debug3: check_host_in_hostfile: filename /home/xca1550/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /home/xca1550/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 2 for host mvsv.mvsbrz.fiducia.de
Host key verification failed.
CoZLauncher[E]: xca1550@mvsv.mvsbrz.fiducia.de target command '<default shell>' ended with RC=255
I put the following line to the /etc/ssh/sshd_config
Subsystem dspipes /home/xca1550/coz/bin/dspipes
and restarted ssh daemon
then i generated keys into my ~/.ssh directory as documented in the Ported Tools Doc from IBM in Chapter Steps for performing setup for server authentication
Version 1 ssh-keygen -t rsa1 -f /home/xca1550/.ssh/ssh_host_key -N ""
Version 2 ssh-keygen -t dsa -f /home/xca1550/.ssh/ssh_host_dsa_key -N ""
Version 2 ssh-keygen -t dsa -f /home/xca1550/.ssh/ssh_host_rsa_key -N ""
now i have all these files in my home dir.
then i appended all these key files to my
/home/xca1550/.ssh/ssh_known_hosts which now has 3 records
I also copied this to file /home/xca1550/.ssh/known_hosts
So in my /home/xca1550/.ssh dir i now have the following files
_ File 644 2009-07-10 09:15 XCA1550 1535 known_hosts
_ File 600 2009-07-10 09:06 XCA1550 1024 prng_seed
_ File 600 2009-07-10 09:03 XCA1550 668 ssh_host_dsa_key
_ File 644 2009-07-10 09:03 XCA1550 602 ssh_host_dsa_key.pub
_ File 600 2009-07-10 08:58 XCA1550 527 ssh_host_key
_ File 644 2009-07-10 08:58 XCA1550 331 ssh_host_key.pub
_ File 600 2009-07-10 09:03 XCA1550 668 ssh_host_rsa_key
_ File 644 2009-07-10 09:03 XCA1550 602 ssh_host_rsa_key.pub
_ File 644 2009-07-10 09:05 XCA1550 1535 ssh_known_hosts
But why error
debug2: no key of type 2 for host mvsv.mvsbrz.fiducia.de
Host key verification failed.
???
Best regards
Raimund
Problems with ssh
(Note: this question should have been posted to the Co:Z forum)
Co:Z Launcher uses IBM's Ported Tools OpenSSH for its ssh connection. OpenSSH in this case uses different key pairs
1) the "host key": the server's public host key must be available in the client's "known_hosts" (one of the files searched for host keys).
2) the "user key": the user's public key must be placed in the $HOME/.ssh/authorized_keys file on the server.
Note that Openssh key files are always text, so if you transfer them from MVS to other systems, you need to translate ASCII<->EBCDIC.
It appears that you are trying to use the user key as a host key.
There are three ways to get the host key(1) setup:
- use an interactive ssh session from the client to the server and then "accept" the host key when prompted
- copy the host key yourself.
- use the ssh option "-oStrictHostKeyChecking=no" and the client will accept a *new* host key without prompting, so it will work in batch
The easiest way is to logon onto your MVS client system using the same userid that you will be using in batch. A TTY shell is required (the TSO OMVS environment won't work) so the best way is to use ssh. From MVS you interactively issue from the ssh command to login to your target system. You will be prompted to accept the host key, and then if you have setup your user key you will be logged in without a password.
Here is a flash demo of setting up OpenSSH keys:
http://dovetail.com/demos/coz/demo_keys.html
Co:Z Launcher uses IBM's Ported Tools OpenSSH for its ssh connection. OpenSSH in this case uses different key pairs
1) the "host key": the server's public host key must be available in the client's "known_hosts" (one of the files searched for host keys).
2) the "user key": the user's public key must be placed in the $HOME/.ssh/authorized_keys file on the server.
Note that Openssh key files are always text, so if you transfer them from MVS to other systems, you need to translate ASCII<->EBCDIC.
It appears that you are trying to use the user key as a host key.
There are three ways to get the host key(1) setup:
- use an interactive ssh session from the client to the server and then "accept" the host key when prompted
- copy the host key yourself.
- use the ssh option "-oStrictHostKeyChecking=no" and the client will accept a *new* host key without prompting, so it will work in batch
The easiest way is to logon onto your MVS client system using the same userid that you will be using in batch. A TTY shell is required (the TSO OMVS environment won't work) so the best way is to use ssh. From MVS you interactively issue from the ssh command to login to your target system. You will be prompted to accept the host key, and then if you have setup your user key you will be logged in without a password.
Here is a flash demo of setting up OpenSSH keys:
http://dovetail.com/demos/coz/demo_keys.html
Yes, the demo still works. You might need to check your flash setup. I just ran it successfully under firefox 3.0 and IE 8.
We recently updated the section of the Co:Z user's guide to describe the ssh client authentication options in more detail. You might wish to check this out as well:
http://www.dovetail.com/docs/coz/auth.html
We recently updated the section of the Co:Z user's guide to describe the ssh client authentication options in more detail. You might wish to check this out as well:
http://www.dovetail.com/docs/coz/auth.html
I ssh to z/os and created the private / public keys. I copied the public key to authorized_keys. then i tried to run a batch job and get the following error
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
Ý14:16:14.258536¨ CoZLauncherÝE¨: <28> NW29233@B011 target command '<default shell>' ended with RC=255
jcl:
//STEP1 EXEC COZPROC,
// ARGS='-LW,t,e myid@MYZOS'
//STDIN DD *
# This is input to the remote shell
echo "We are running on: $(hostname)"
echo "__________env:________________"
env
echo "^^^^^^^^^^env:^^^^^^^^^^^^^^^^"
echo ""
fromdsn //DD:INPUT | grep BLKSIZE \
| todsn -b //DD:OUTPUT
//INPUT DD DSN=SYS1.MACLIB(ACB),DISP=SHR
//OUTPUT DD SYSOUT=*
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
Ý14:16:14.258536¨ CoZLauncherÝE¨: <28> NW29233@B011 target command '<default shell>' ended with RC=255
jcl:
//STEP1 EXEC COZPROC,
// ARGS='-LW,t,e myid@MYZOS'
//STDIN DD *
# This is input to the remote shell
echo "We are running on: $(hostname)"
echo "__________env:________________"
env
echo "^^^^^^^^^^env:^^^^^^^^^^^^^^^^"
echo ""
fromdsn //DD:INPUT | grep BLKSIZE \
| todsn -b //DD:OUTPUT
//INPUT DD DSN=SYS1.MACLIB(ACB),DISP=SHR
//OUTPUT DD SYSOUT=*
To troubleshoot this:
Login with a real shell to the z/OS system that you want to be your client, using the same userid as you will use in the batch job. You can use PuTTY to do this, or some other TTY telnet client, but not OMVS under TSO, since IBM doesn't allow you to use the z/OS ssh client under OMVS.
Then, from the shell on the client z/OS system, do this:
ssh myid@target.zos.host ls
If this doesn't work without prompting you for a password, then you haven't setup the ssh keys properly.
If your ssh keys aren't working, you will need to provide us with some additional info:
From the client, z/OS system, list the .ssh directory
cd
cd .ssh
ls -al
On the server z/OS system:
cd
cd .ssh
ls -al
cat authorized_keys
Login with a real shell to the z/OS system that you want to be your client, using the same userid as you will use in the batch job. You can use PuTTY to do this, or some other TTY telnet client, but not OMVS under TSO, since IBM doesn't allow you to use the z/OS ssh client under OMVS.
Then, from the shell on the client z/OS system, do this:
ssh myid@target.zos.host ls
If this doesn't work without prompting you for a password, then you haven't setup the ssh keys properly.
If your ssh keys aren't working, you will need to provide us with some additional info:
From the client, z/OS system, list the .ssh directory
cd
cd .ssh
ls -al
On the server z/OS system:
cd
cd .ssh
ls -al
cat authorized_keys
In the first part of known_hosts file is a literal 'ssh-rsa'
I created the keys with -t dsa, should i've done -t rsa?
note:id and host names have been changed to protect the innocent.
-rw-rw-r-- 1 XX99999 @NW 602 Apr 27 14:01 authorized_keys
-rw------- 1 XX99999 @NW 672 Apr 27 10:07 id_dsa
-rw-r--r-- 1 XX99999 @NW 602 Apr 27 10:07 id_dsa.pub
-rw-r--r-- 1 XX99999 @NW 454 Apr 27 14:33 known_hosts
-rw------- 1 XX99999 @NW 1024 Apr 27 14:51 prng_seed
MYZOS:/u/xx99999/.ssh $
MYZOS:/u/xx99999/.ssh $ cat known_hosts
00.00.000.0 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAu0VJqA3KgtGToAnphrF8cRRo8obdXo4ildBP3MRKj12x9c40rSyiW4zoSTatm/FxFtIfHsCWvsgzsfqO7ArgPZ6R2a99wdkxsnmoyrp0+kOsQYlkrs/AoZACDtC4pFYhebUNoURoN7XKdKs5d1wO4/KSe6kgziX/BhEJpHqcwCE=
I created the keys with -t dsa, should i've done -t rsa?
note:id and host names have been changed to protect the innocent.
-rw-rw-r-- 1 XX99999 @NW 602 Apr 27 14:01 authorized_keys
-rw------- 1 XX99999 @NW 672 Apr 27 10:07 id_dsa
-rw-r--r-- 1 XX99999 @NW 602 Apr 27 10:07 id_dsa.pub
-rw-r--r-- 1 XX99999 @NW 454 Apr 27 14:33 known_hosts
-rw------- 1 XX99999 @NW 1024 Apr 27 14:51 prng_seed
MYZOS:/u/xx99999/.ssh $
MYZOS:/u/xx99999/.ssh $ cat known_hosts
00.00.000.0 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAu0VJqA3KgtGToAnphrF8cRRo8obdXo4ildBP3MRKj12x9c40rSyiW4zoSTatm/FxFtIfHsCWvsgzsfqO7ArgPZ6R2a99wdkxsnmoyrp0+kOsQYlkrs/AoZACDtC4pFYhebUNoURoN7XKdKs5d1wO4/KSe6kgziX/BhEJpHqcwCE=
Since your authorized_keys file only has one key in it, it should be exactly the same as id_dsa.pub. Check with a diff command.
I believe that your problem is that authorized_keys has the wrong permissions. Try "chmod 600 authorized_keys"
See: "Common Pitfalls" (Slide 29) in our "Using SFP on z/OS Webinar" -
http://www.dovetail.com/docs/sftp/sftp-webinar.pdf
I believe that your problem is that authorized_keys has the wrong permissions. Try "chmod 600 authorized_keys"
See: "Common Pitfalls" (Slide 29) in our "Using SFP on z/OS Webinar" -
http://www.dovetail.com/docs/sftp/sftp-webinar.pdf