ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

SSH key pairs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSH key pairs

    I need to establish SSH keys between two users on the same IBMi system. This is for my own testing. I have done this before with data exchanges between my IBMi and a Unix server, although I did not install the keys on the Unix server (they have their own administrator). I dont have the luxury of having a Unix server to test with today, so I have to figure out a way to test on my own, and I am a little confused on how these key pairs work.

    I have two user profiles, my own and a test user profile on my IBMi. I generated key pairs by calling QP2TERM and executing ssh-keygen -t rsa -N "", which generated id_rsa and id_rsa.pub. Now what? With the Unix scenario I sent the id_rsa.pub file to the administrator, and that was that. Do I have to create an authorized_keys file in the .ssh folder?

    Any help is appreciated (I have very little Unix expericence...)
    Thanks!

  • #2
    Yes.

    Create it on the account you want to log into.

    And add the public key to the authorized_keys file -- one key per line. Note that the keys are somewhat long, so each line might "wrap" to display as multiple lines on your screen (depending on the editor you use) but it's important that there not be any line breaks in the key, so that the computer sees it all as a single line.

    Comment


    • #3
      Thanks Scott.

      I have installed the authorized_keys file. I copied the id_rsa.pub file from the client and created authorized_keys file in ~/home/TESTERUSER/.ssh/authorized_keys. I used CPYSTMF to create file. I am pretty sure they are identical. I must have checked 50 times. I also made sure that the authority for *PUBLIC was *RWX.

      But still getting an error.

      Are there any other types of authentication that might be necessary?
      I am getting these responses (among others), which leads me to believe there might be?

      debug1: read_passphrase: can't open /dev/tty: No such device or address
      debug1: Authentications that can continue: publickey,password,keyboard-interactive
      Permission denied, please try again.
      debug1: read_passphrase: can't open /dev/tty: No such device or address
      debug1: Authentications that can continue: publickey,password,keyboard-interactive
      Permission denied, please try again.

      Comment


      • #4
        What is CPYSTMF and why would you use it instead of the standard commands? Please make sure it didn't do something weird like translate it to EBCDIC.

        Also, check the permissions on the home directory, .ssh directory and authorized keys file. It is very picky about permissions.

        Comment


        • #5
          Sorry. I mistyped that. The command is CPYTOSTMF. And I did check permissions. I set everything to *PUBLIC *RWX, which is all permissions.

          CPYTOSTMF FROMMBR(&FILEPATH) TOSTMF(&CSVFILE) +
          STMFOPT(*REPLACE) STMFCCSID(*STDASCII)

          /QOpenSys/usr/bin/scp -v /tmp/IS1073FORD TESTUSER@MYSYSTEM:/home/TESTUSER/WWT/IS1073FORD

          Comment


          • #6
            CPYTOSTMF is for converting from a physical file to a stream file, which doesn't make any sense, here. It typically results in things like adding blanks, coverting character sets, etc, which will only add complexity and create the chance of screwing things up. And if the records in the PF aren't long enough for your key, it could completely destroy it. Just use the regular PASE "cp" utility, no need to over-complicate things with CPYTOSTMF.

            Permissions need to be set properly.. I'm pretty sure *RWX would not work as that gives everyone full access, which would be a huge security problem. I don't have the correct permissions memorized, though, you'll have to search for them.

            Comment


            • #7
              Forget that I mentioned CPYTOSTMF. I did that because I wanted to make sure SCP was not complaining about copying from the IFS. I could just as easily copy from a physical file. And as far as permissions go, I wanted to make sure everyone had everything in this TEST situation in order to eliminate that hurdle. I think I have checked all the boxes and I guess I can check again.

              Files id_rsa and known_hosts, and also authorized_keys.

              Still getting

              debug1: No more authentication methods to try.
              Permission denied (publickey,password,keyboard-interactive).
              lost connection

              Comment


              • #8
                I'm not sure that you understand: You MUST NOT give everyone permission to your ssh directory. You seem to be saying "don't worry, I've given everyone access" and that's exactly what you MUST NOT do. SSH will deliberately not work if you give public access to it, because it'd allow other people to steal your keys, replace your keys, etc, and therefore log onto your account.

                This is what is recommended on the first hit I get via Google search:
                Chances are, your /home/<user> or ~/.ssh/authorized_keys permissions are too open by OpenSSH standards. You can get rid of this problem by issuing the following commands:
                Code:
                chmod go-w ~/
                chmod 700 ~/.ssh
                chmod 600 ~/.ssh/authorized_keys
                These assume that your user profile is the owner of your home directory, the .ssh directory, and the files therein.

                Also, I would wrongly recommend running the "ssh' tool first to establish that you trust the host before running "scp". Or, at least, make sure you're running from a real Unix terminal instead of 5250.

                Comment


                • #9
                  You are correct. I did not understand that you cannot give all rights to the files. Makes sense why. Makes no difference though on my system, because it is still not working. I changed the permissions per your suggestion, chmod 600, but I still get the "permission denied" message. I will keep looking for a short while, but now they are telling me that I cannot use a password-less process. So I assume that means I cannot use SSH/SCP command, and I must use SFTP. I have read your document "Scripting the OpenSSH, SFTP, and SCP Utilities" document, as well as many others, and if I am understanding them correctly, I would have to use the "expect" utility if I am required to provide my vendor a password. That is another hurdle that I have to face next.

                  Anyway, sorry for such a lengthy post.
                  Thanks Scott, as always, for your expert advice!

                  Comment


                  • #10
                    I found some interesting information here: http://www-01.ibm.com/support/docvie...d=nas8N1022289, that seems to indicate that I do not need to use expect scripting. It has examples of doing both SCP and SFTP in batch mode with password authentication. It looks like the password is stored in a file on the IFS. I am not sure if I should use SCP or SFTP.... Anyway, giving it a try...

                    Comment


                    • #11
                      No luck. It looks like the IBM examples are not really batch solutions. My program just hangs.... Does anyone really use SFTP from the IBM? I have read so many posts that seem to indicate that they do, but the issue of password seems to always be a DOES NOT WORK, unless you use expect. Is that true? Are id_rsa.pub keys necessary for both SCP and SFTP? And in order to get my vendors keys is it necessary for me to do this - ssh -T testuser@myvendor.com and accept the keys, or do they need to send them to me and I have to add them to known_hosts file? I have tried both, but something clearly is missing.

                      Comment


                      • #12
                        As far as I'm aware, if you are not going to be using keys to authenticate the sessions, then you just don't use them. If no keys are exchanged, sftp should ask for a user and password.
                        I'm not overly familiar with sftp in batch but I believe the -b <script name> should run the commands from the file. It would require the password to be entered in the file though which seems less secure to me but guess there's not much you can do about that. How are you trying to do this at the moment?

                        Comment


                        • tdavis
                          tdavis commented
                          Editing a comment
                          I am not familiar with how to use passwords. In the past I have simply exchanged keys and everything worked. This new vendor is not very helpful. They have told me that I must use a password. I believe that the test account I am using might be locked out now maybe from my unsuccessful attempts. Not sure as they are somewhat unresponsive. I wanted to do my testing on my own system but I get permission denied when trying to connect to either another one of our systems or the same system. I tried the IBM method in the documents that I referenced, and those seem to hang up.

                      • #13
                        Originally posted by tdavis View Post
                        No luck. It looks like the IBM examples are not really batch solutions. My program just hangs....
                        I haven't tried the solutions that IBM suggests, but a quick Google notes that these are standard solutions that work on all platforms. I'm not sure when this was added to OpenSSH, but it sure sounds like it'd work.

                        Originally posted by tdavis View Post
                        Does anyone really use SFTP from the IBM? I have read so many posts that seem to indicate that they do, but the issue of password seems to always be a DOES NOT WORK, unless you use expect. Is that true?
                        The password works fine from a Unix type of terminal. It does not work from 5250. Not sure what was meant by "does anyone really use it" but, I've been using it for a long time now (10 years?) and it works fine for me. I use Expect for batch scripting since that was what worked back when I learned it. The SSH_ASKPASS stuff was added more recently, I'll have to try that some time (not now, though, as I'm too busy.)

                        Originally posted by tdavis View Post
                        Are id_rsa.pub keys necessary for both SCP and SFTP? And in order to get my vendors keys is it necessary for me to do this - ssh -T testuser@myvendor.com and accept the keys, or do they need to send them to me and I have to add them to known_hosts file? I have tried both, but something clearly is missing.
                        I thought you said the vendor requires a password instead of using digital keys?! id_rsa/id_rsa.pub identities for use when logging in with digital keys. They're not used at all when using passwords.

                        As part of the initial setup, I always login with ssh and accept the server so that it is added to the known_hosts file. I have never tried manually adding anything to known_hosts, as such I'm not precisely sure what you'd add to it. Log in with ssh just once to add it to known_hosts, this never has to be done again unless they change the digital keys used on the server.

                        Comment


                        • #14
                          Originally posted by john.sev99 View Post
                          As far as I'm aware, if you are not going to be using keys to authenticate the sessions, then you just don't use them. If no keys are exchanged, sftp should ask for a user and password.
                          It will only do so when called interactively using a Unix terminal. Not from 5250. Not from batch. The only other way to make it ask that I've used is using Expect, which makes it think it's coming from a Unix terminal.

                          Originally posted by john.sev99 View Post
                          I'm not overly familiar with sftp in batch but I believe the -b <script name> should run the commands from the file. It would require the password to be entered in the file though which seems less secure to me but guess there's not much you can do about that. How are you trying to do this at the moment?
                          sftp's -b script does not allow you to provide a password in the script. You are confusing it with regular FTP.

                          Comment


                          • tdavis
                            tdavis commented
                            Editing a comment
                            In the IBM example they mention a script called openssh_password_script.sh which I think contains a password. If follows the printf command in the script. The document says "printf -> Prints the password for the user account that the SCP server administrator provided to copy files". So far this does not seem to work for me.

                        • #15
                          In the IBM example they mention a script called openssh_password_script.sh which I think contains a password. If follows the printf command in the script. The document says "printf -> Prints the password for the user account that the SCP server administrator provided to copy files". So far this does not seem to work for me.

                          Comment

                          Working...
                          X