Leonard, Were you successful using your test userid using SSH_ASKPASS along with the "-b" option? If you have your askpass script write something to stderr, you may find that it is not being called.
This is because the "-b file" switch enables "-oBatchMode=yes", which disables SSH_ASKPASS. But if you do have "BatchMode yes" in your custom ssh_config file, then it could be something else. I would need to see the -vvv log to make any more guesses :-) Regards, Kirk Wolf Dovetailed Technologies http://dovetail.com PS> Here is some sample JCL that we include with (free) Co:Z SFTP that solves this problem: //RUNSFTP EXEC PGM=COZBATCH (BPXBATCH replacement) //STDIN DD * # Customize these ... coz_bin="/opt/dovetail/coz/bin" remoteuser="uid" server="remote.host.name" servercp="ISO8859-1" remotefile="/path/to/file" # These can be used to read the ssh password from a (secured) dataset # if you don't want to setup public/private keypairs export PASSWD_DSN='//COZUSER.PASSWD(SITE1)' export SSH_ASKPASS=$coz_bin/read_passwd_dsn.sh export DISPLAY=none ssh_opts="-oBatchMode=no" # allows ssh to use SSH_ASKPASS program ssh_opts="$ssh_opts -oConnectTimeout=60" ssh_opts="$ssh_opts -oServerAliveInterval=60" ssh_opts="$ssh_opts -oStrictHostKeyChecking=no" # accept initial host keys # Invoke the Co:Z sftp client with an in-line batch of commands # that downloads a remote file to a local DD. # Note that "-oBatchMode=no" must be specified before "-b" # since ssh opts are first-sticky $coz_bin/cozsftp $ssh_opts -b- $remoteu...@$server <<EOB lzopts mode=text,servercp=$servercp get $remotefile //DD:DOWNLOAD EOB //DOWNLOAD DD DSN=&&DOWNLOAD,DISP=(NEW,DELETE), // DCB=(...),SPACE=(...) // On Tue, Nov 30, 2010 at 3:32 PM, Leonard Sasso <lsa...@csc.com> wrote: > Does the production RACF id have an OMVS segment? Yes > Does it have a HOME subdirectory? Yes > Is there a .ssh subdirectory in the $HOME for this user? Yes > Is the UNIX filemode for .ssh subdirectory set to 700 or 600? Set to 770 > Are the files in the .ssh subdirectory all set to filemode 600? Set to > 600 or 644 or 777 > Is .ssh and all its files owned by the production RACF id? Yes > > > JCL: > > //SASSCAQP JOB OPS,'SFTP TESTING',CLASS=1,MSGCLASS=X,USER=LSASSO, > // NOTIFY=LSASSO > /*JOBPARM S=TST1 > //* > //SFTP EXEC PGM=BPXBATCH,REGION=0M, > // PARM=('sh sftp -vvv -F /u/home/lsasso/.ssh/config -b /u/home/lsasso/ > // cmd.txt nymedicaid...@ftp.upd.caqh.org') > //* > //STDOUT DD SYSOUT=*,LRECL=132,RECFM=F > //STDERR DD SYSOUT=*,LRECL=132,RECFM=F > //STDENV DD * > DISPLAY=FOO > SSH_ASKPASS=/u/home/lsasso/askpass.sh > //* > > > > Thank You. > > Len Sasso > > > > RDC Operations - Systems Administrator > CSC > Information Technology Infrastructure Services (ITIS) > | p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | lsa...@csc.com | > www.csc.com > > This is a PRIVATE message. If you are not the intended recipient, please > delete without copying and kindly advise us by e-mail of the mistake in > delivery. > NOTE: Regardless of content, this e-mail shall not operate to bind CSC to > any order or other contract unless pursuant to explicit written agreement > or government initiative expressly permitting the use of e-mail for such > purpose. > > > > From: > "McKown, John" <john.mck...@healthmarkets.com> > To: > IBM-MAIN@bama.ua.edu > Date: > 11/30/2010 04:13 PM > Subject: > Re: "FOTS1346 Permission denied, please try again" > > > > It might be easier to see if you'd post the JCL and SYSIN type input for > the failing step. Does the production RACF id have an OMVS segment? Does > it have a HOME subdirectory? Is there a .ssh subdirectory in the $HOME for > this user? Is the UNIX filemode for .ssh subdirectory set to 700 or 600? > Are the files in the .ssh subdirectory all set to filemode 600? Is .ssh > and all its files owned by the production RACF id? Just some questions. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The > Chesapeake Life Insurance Company(r), Mid-West National Life Insurance > Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:ibm-m...@bama.ua.edu] On Behalf Of Leonard Sasso > > Sent: Tuesday, November 30, 2010 2:59 PM > > To: IBM-MAIN@bama.ua.edu > > Subject: "FOTS1346 Permission denied, please try again" > > > > Our Mainframe Batch job is successful using a Test Userid and > > Password to > > SSH to a remote host using password authentication (via > > askpass). When we > > try the same job with the Production Userid and Password, we > > receive the > > following error: "FOTS1346 Permission denied, please try again". This > > causes user authentication to fail. The SSH client then > > eventually fails > > with the error: "FOTS1373 Permission denied > > (publickey,password,keyboard-interactive)". > > > > Per the IBM Ported Tools for z/OS User's Guide (page 111 - # 22): > > > > "Verify that you are not trying to use ssh while switched to > > another user > > ID. In other words, did you issue ssh after the su command? > > The original > > controlling terminal (displayed by the tty command) is owned > > by the user > > ID originally logged in. Your target user may not have > > permission to read > > from it." > > > > We are not issuing the "su" command (what is the "su" command)? > > > > Any help would be appreciated. > > > > > > Thank You. > > > > Len Sasso > > > > > > > > RDC Operations - Systems Administrator > > CSC > > Information Technology Infrastructure Services (ITIS) > > | p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | > > lsa...@csc.com | > > www.csc.com > > > > This is a PRIVATE message. If you are not the intended > > recipient, please > > delete without copying and kindly advise us by e-mail of the > > mistake in > > delivery. > > NOTE: Regardless of content, this e-mail shall not operate to > > bind CSC to > > any order or other contract unless pursuant to explicit > > written agreement > > or government initiative expressly permitting the use of > > e-mail for such > > purpose. > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
