Well, the 770 on .ssh doesn't seem right to me, but I haven't looked at the OpenSSH source code.
http://www.openssh.org/faq.html <quote> 3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work. Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default. In this case, it can be solved by executing the following on the server. $ chmod go-w $HOME $HOME/.ssh $ chmod 600 $HOME/.ssh/authorized_keys $ chown `whoami` $HOME/.ssh/authorized_keys If this is not possible for some reason, an alternative is to set StrictModes no in sshd_config, however this is not recommended. </quote> -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:ibm-m...@bama.ua.edu] On Behalf Of Leonard Sasso > Sent: Tuesday, November 30, 2010 3:33 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: "FOTS1346 Permission denied, please try again" > > Does the production RACF id have an OMVS segment? Yes > Does it have a HOME subdirectory? Yes > Is there a .ssh subdirectory in the $HOME for this user? Yes > Is the UNIX filemode for .ssh subdirectory set to 700 or 600? > Set to 770 > Are the files in the .ssh subdirectory all set to filemode > 600? Set to > 600 or 644 or 777 > Is .ssh and all its files owned by the production RACF id? Yes > > > JCL: > > //SASSCAQP JOB OPS,'SFTP TESTING',CLASS=1,MSGCLASS=X,USER=LSASSO, > // NOTIFY=LSASSO > /*JOBPARM S=TST1 > //* > //SFTP EXEC PGM=BPXBATCH,REGION=0M, > // PARM=('sh sftp -vvv -F /u/home/lsasso/.ssh/config -b > /u/home/lsasso/ > // cmd.txt nymedicaid...@ftp.upd.caqh.org') > //* > //STDOUT DD SYSOUT=*,LRECL=132,RECFM=F > //STDERR DD SYSOUT=*,LRECL=132,RECFM=F > //STDENV DD * > DISPLAY=FOO > SSH_ASKPASS=/u/home/lsasso/askpass.sh > //* > > > > Thank You. > > Len Sasso > > > > RDC Operations - Systems Administrator > CSC > Information Technology Infrastructure Services (ITIS) > | p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | > lsa...@csc.com | > www.csc.com > > This is a PRIVATE message. If you are not the intended > recipient, please > delete without copying and kindly advise us by e-mail of the > mistake in > delivery. > NOTE: Regardless of content, this e-mail shall not operate to > bind CSC to > any order or other contract unless pursuant to explicit > written agreement > or government initiative expressly permitting the use of > e-mail for such > purpose. > > > > From: > "McKown, John" <john.mck...@healthmarkets.com> > To: > IBM-MAIN@bama.ua.edu > Date: > 11/30/2010 04:13 PM > Subject: > Re: "FOTS1346 Permission denied, please try again" > > > > It might be easier to see if you'd post the JCL and SYSIN > type input for > the failing step. Does the production RACF id have an OMVS > segment? Does > it have a HOME subdirectory? Is there a .ssh subdirectory in > the $HOME for > this user? Is the UNIX filemode for .ssh subdirectory set to > 700 or 600? > Are the files in the .ssh subdirectory all set to filemode > 600? Is .ssh > and all its files owned by the production RACF id? Just some > questions. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain > confidential or > proprietary information. If you are not the intended > recipient, please > contact the sender by reply e-mail and destroy all copies of > the original > message. HealthMarkets(r) is the brand name for products > underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The > Chesapeake Life Insurance Company(r), Mid-West National Life > Insurance > Company of TennesseeSM and The MEGA Life and Health Insurance > Company.SM > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:ibm-m...@bama.ua.edu] On Behalf Of Leonard Sasso > > Sent: Tuesday, November 30, 2010 2:59 PM > > To: IBM-MAIN@bama.ua.edu > > Subject: "FOTS1346 Permission denied, please try again" > > > > Our Mainframe Batch job is successful using a Test Userid and > > Password to > > SSH to a remote host using password authentication (via > > askpass). When we > > try the same job with the Production Userid and Password, we > > receive the > > following error: "FOTS1346 Permission denied, please try > again". This > > causes user authentication to fail. The SSH client then > > eventually fails > > with the error: "FOTS1373 Permission denied > > (publickey,password,keyboard-interactive)". > > > > Per the IBM Ported Tools for z/OS User's Guide (page 111 - # 22): > > > > "Verify that you are not trying to use ssh while switched to > > another user > > ID. In other words, did you issue ssh after the su command? > > The original > > controlling terminal (displayed by the tty command) is owned > > by the user > > ID originally logged in. Your target user may not have > > permission to read > > from it." > > > > We are not issuing the "su" command (what is the "su" command)? > > > > Any help would be appreciated. > > > > > > Thank You. > > > > Len Sasso > > > > > > > > RDC Operations - Systems Administrator > > CSC > > Information Technology Infrastructure Services (ITIS) > > | p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | > > lsa...@csc.com | > > www.csc.com > > > > This is a PRIVATE message. If you are not the intended > > recipient, please > > delete without copying and kindly advise us by e-mail of the > > mistake in > > delivery. > > NOTE: Regardless of content, this e-mail shall not operate to > > bind CSC to > > any order or other contract unless pursuant to explicit > > written agreement > > or government initiative expressly permitting the use of > > e-mail for such > > purpose. > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
