Kirk: We were successful using our Test Userid using SSH_ASKPASS along with the "-b" option.
We have "BatchMode no" in our custom ssh_config file. -vvv log contents: OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /u/home/lsasso/.ssh/PConfg debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug2: ssh_connect: needpriv 0 debug1: Connecting to 216.115.171.196 Ý216.115.171.196¨ port 22. debug1: Connection established. debug3: Not a RSA1 key file /u/home/lsasso/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /u/home/lsasso/.ssh/id_rsa type 1 debug3: Not a RSA1 key file /u/home/lsasso/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /u/home/lsasso/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version 6.0.3.9 SSH Tectia Server debug1: no match: 6.0.3.9 SSH Tectia Server debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 debug3: RNG is ready, skipping seeding debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,ae debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,ae debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,seed-...@ssh.com,crypticore...@ssh.com debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,seed-...@ssh.com,crypticore...@ssh.com debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,crypticore-...@ssh.com debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,crypticore-...@ssh.com debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: dh_gen_key: priv key bits set: 134/256 debug2: bits set: 518/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: check_host_in_hostfile: filename /u/home/lsasso/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '216.115.171.196' is known and matches the RSA host key. debug1: Found key in /u/home/lsasso/.ssh/known_hosts:1 debug2: bits set: 513/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /u/home/lsasso/.ssh/id_rsa (19b40098) debug2: key: /u/home/lsasso/.ssh/id_dsa (19b400f8) debug1: Authentications that can continue: gssapi-with-mic,password,publickey,keyboard-interactive debug3: start over, passed a different list gssapi-with-mic,password,publickey,keyboard-interactive debug3: preferred password debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: gssapi-with-mic,password,publickey,keyboard-interactive FOTS1346 Permission denied, please try again. debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: gssapi-with-mic,password,publickey,keyboard-interactive FOTS1346 Permission denied, please try again. debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: gssapi-with-mic,publickey,keyboard-interactive debug3: start over, passed a different list gssapi-with-mic,publickey,keyboard-interactive debug3: preferred password debug1: No more authentication methods to try. FOTS1373 Permission denied (gssapi-with-mic,publickey,keyboard-interactive). FOTS0841 Connection closed Thank You. Len Sasso RDC Operations - Systems Administrator CSC Information Technology Infrastructure Services (ITIS) | p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | lsa...@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: Kirk Wolf <k...@dovetail.com> To: IBM-MAIN@bama.ua.edu Date: 11/30/2010 04:52 PM Subject: Re: "FOTS1346 Permission denied, please try again" Leonard, Were you successful using your test userid using SSH_ASKPASS along with the "-b" option? If you have your askpass script write something to stderr, you may find that it is not being called. This is because the "-b file" switch enables "-oBatchMode=yes", which disables SSH_ASKPASS. But if you do have "BatchMode yes" in your custom ssh_config file, then it could be something else. I would need to see the -vvv log to make any more guesses :-) Regards, Kirk Wolf Dovetailed Technologies http://dovetail.com PS> Here is some sample JCL that we include with (free) Co:Z SFTP that solves this problem: //RUNSFTP EXEC PGM=COZBATCH (BPXBATCH replacement) //STDIN DD * # Customize these ... coz_bin="/opt/dovetail/coz/bin" remoteuser="uid" server="remote.host.name" servercp="ISO8859-1" remotefile="/path/to/file" # These can be used to read the ssh password from a (secured) dataset # if you don't want to setup public/private keypairs export PASSWD_DSN='//COZUSER.PASSWD(SITE1)' export SSH_ASKPASS=$coz_bin/read_passwd_dsn.sh export DISPLAY=none ssh_opts="-oBatchMode=no" # allows ssh to use SSH_ASKPASS program ssh_opts="$ssh_opts -oConnectTimeout=60" ssh_opts="$ssh_opts -oServerAliveInterval=60" ssh_opts="$ssh_opts -oStrictHostKeyChecking=no" # accept initial host keys # Invoke the Co:Z sftp client with an in-line batch of commands # that downloads a remote file to a local DD. # Note that "-oBatchMode=no" must be specified before "-b" # since ssh opts are first-sticky $coz_bin/cozsftp $ssh_opts -b- $remoteu...@$server <<EOB lzopts mode=text,servercp=$servercp get $remotefile //DD:DOWNLOAD EOB //DOWNLOAD DD DSN=&&DOWNLOAD,DISP=(NEW,DELETE), // DCB=(...),SPACE=(...) // On Tue, Nov 30, 2010 at 3:32 PM, Leonard Sasso <lsa...@csc.com> wrote: > Does the production RACF id have an OMVS segment? Yes > Does it have a HOME subdirectory? Yes > Is there a .ssh subdirectory in the $HOME for this user? Yes > Is the UNIX filemode for .ssh subdirectory set to 700 or 600? Set to 770 > Are the files in the .ssh subdirectory all set to filemode 600? Set to > 600 or 644 or 777 > Is .ssh and all its files owned by the production RACF id? Yes > > > JCL: > > //SASSCAQP JOB OPS,'SFTP TESTING',CLASS=1,MSGCLASS=X,USER=LSASSO, > // NOTIFY=LSASSO > /*JOBPARM S=TST1 > //* > //SFTP EXEC PGM=BPXBATCH,REGION=0M, > // PARM=('sh sftp -vvv -F /u/home/lsasso/.ssh/config -b /u/home/lsasso/ > // cmd.txt nymedicaid...@ftp.upd.caqh.org') > //* > //STDOUT DD SYSOUT=*,LRECL=132,RECFM=F > //STDERR DD SYSOUT=*,LRECL=132,RECFM=F > //STDENV DD * > DISPLAY=FOO > SSH_ASKPASS=/u/home/lsasso/askpass.sh > //* > > > > Thank You. > > Len Sasso > > > > RDC Operations - Systems Administrator > CSC > Information Technology Infrastructure Services (ITIS) > | p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | lsa...@csc.com | > www.csc.com > > This is a PRIVATE message. If you are not the intended recipient, please > delete without copying and kindly advise us by e-mail of the mistake in > delivery. > NOTE: Regardless of content, this e-mail shall not operate to bind CSC to > any order or other contract unless pursuant to explicit written agreement > or government initiative expressly permitting the use of e-mail for such > purpose. > > > > From: > "McKown, John" <john.mck...@healthmarkets.com> > To: > IBM-MAIN@bama.ua.edu > Date: > 11/30/2010 04:13 PM > Subject: > Re: "FOTS1346 Permission denied, please try again" > > > > It might be easier to see if you'd post the JCL and SYSIN type input for > the failing step. Does the production RACF id have an OMVS segment? Does > it have a HOME subdirectory? Is there a .ssh subdirectory in the $HOME for > this user? Is the UNIX filemode for .ssh subdirectory set to 700 or 600? > Are the files in the .ssh subdirectory all set to filemode 600? Is .ssh > and all its files owned by the production RACF id? Just some questions. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The > Chesapeake Life Insurance Company(r), Mid-West National Life Insurance > Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:ibm-m...@bama.ua.edu] On Behalf Of Leonard Sasso > > Sent: Tuesday, November 30, 2010 2:59 PM > > To: IBM-MAIN@bama.ua.edu > > Subject: "FOTS1346 Permission denied, please try again" > > > > Our Mainframe Batch job is successful using a Test Userid and > > Password to > > SSH to a remote host using password authentication (via > > askpass). When we > > try the same job with the Production Userid and Password, we > > receive the > > following error: "FOTS1346 Permission denied, please try again". This > > causes user authentication to fail. The SSH client then > > eventually fails > > with the error: "FOTS1373 Permission denied > > (publickey,password,keyboard-interactive)". > > > > Per the IBM Ported Tools for z/OS User's Guide (page 111 - # 22): > > > > "Verify that you are not trying to use ssh while switched to > > another user > > ID. In other words, did you issue ssh after the su command? > > The original > > controlling terminal (displayed by the tty command) is owned > > by the user > > ID originally logged in. Your target user may not have > > permission to read > > from it." > > > > We are not issuing the "su" command (what is the "su" command)? > > > > Any help would be appreciated. > > > > > > Thank You. > > > > Len Sasso > > > > > > > > RDC Operations - Systems Administrator > > CSC > > Information Technology Infrastructure Services (ITIS) > > | p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | > > lsa...@csc.com | > > www.csc.com > > > > This is a PRIVATE message. If you are not the intended > > recipient, please > > delete without copying and kindly advise us by e-mail of the > > mistake in > > delivery. > > NOTE: Regardless of content, this e-mail shall not operate to > > bind CSC to > > any order or other contract unless pursuant to explicit > > written agreement > > or government initiative expressly permitting the use of > > e-mail for such > > purpose. > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html