ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

sFTP - The Nightmare Begins

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    sFTP - The Nightmare Begins

    Excuse my negative attitude. I was dreading this project and now that I can't put it off any longer I've immediately run into problems.

    I thought I'd found a really good simple tutorial here.

    So, I picked a user profile (tutorial doesn't say anything about what its authorities or characteristics should be). Let's call it MYPRF (since this is a security application I don't want to say the real name on-line). I didn't create a new one called SFTPUSER partly because I would have to then make a whole lot of decisions about how to set it up, partly because I haven't been given permission to create one, and partly because it seems like an obvious name to target if someone did wish to do harm later. A profile that is working now (for batch jobs) but not actually used (no one else knows the password) seemed like it would be OK.

    I called QP2TERM

    I created the /home/MYPRF folder

    Changed the permissions to 755

    Tried to create the key
    ssh-keygen -t dsa -N ""
    No user exists for uid 1051
    Checked with LS that the owner was indeed 1051 and not MYPRF.

    Tried to change the owner from 1051 to MYPRF:
    chown: MYPRF is an unknown username.
    No it's not. I double checked the spelling. Checked it again just now to avoid embarrassing myself here. It's the right name and the name I signed on and the name I created the folder as.

    ​Tried to delete the new folder so I could start from scratch and was told it wasn't empty, but then tried to LS the contents and nothing was shown. Catch-22

    So I'm stuck on the first page of the tutorial and can't even get started.
    Tags: None
  • #2
    The reason the tutorial doesn't mention anything about the profile setup is it technically doesn't matter. The profile will need authority to whatever it is trying to transfer but does not require any special authorities apart from that. Once the keys have been set up, the profile should be changed so it is not signonable - I believe you can make the password *NONE so it can't be used to signon with and change the initial program/menu to *NONE/*SIGNOFF and LMTCPB(*YES).
    To set up the keys, you need to log on with the profile and create the profiles home directory (/home/MYPRF). After that bit's done, you generate the keys from QP2TERM/QSH. I don't know what the difference is between CALL QP2TERM and STRQSH but haven't noticed any difference in their functioning.

    When you created the SFTP profiles directory, did you do it using the SFTP profile or your own? If you used your ID, the ownership of the directory will be incorrect and your SFTP profile probably won't have enough access. That may be the cause of the odd error.
    As to your attempted chgown command, 1051 is the UID, it's not a profile name. Unix system tend to display things using the UID rather than a nice friendly profile name. You can see the UID assigned to a profile from the DSPUSRPRF command.

    Comment

    • #3
      Thanks for your reply.

      I did sign on as the user to be used to send the sFTP. I did the directory and key generation exactly as per the instructions I referenced above (from IBM no less).

      I tried chown because the new profile was the only one in /home who was not its own owner, viz:

      Code:
      > ls -l                                                     
  total 144                                                 
  drwxr-sr-x    2 1051     0              8192 Jun 17 16:24
  drwxr-sr-x    3 qsecofr  0              8192 Sep 30 2015  
  drwxrwsrwx    2 qwqadmin 0              8192 Sep 30 2015  
  drwxrwsrwx    3 tanyaw   0              8192 May 19 02:32
  drwxrwsrwx    2 integral 0              8192 Feb 13 2016  
  drwxrwsrwx    5 qdftown  0              8192 Feb 13 2016
      As you can see they all have "real" owners except my new one at top.

      Comment

      • #4
        Originally posted by john.sev99 View Post
        I don't know what the difference is between CALL QP2TERM and STRQSH but haven't noticed any difference in their functioning.
        As luck would have it, I stumbled across a very good answer to that question by our own Scott Klement, complete with a short history lesson. Read it here:

        STRQSH Vs CALL QP2TERM at IBM's Rational Cafe

        Comment

        • #5
          What OS is the system on? I tried those steps and they worked fine.
          1. Created a user profile (no special authorities).
          2. Logged on with the new user profile.
          3. Started QSH/QP2TERM.
          4. Created the directory /home/<user profile>
          5. Did the CHMOD.
          6. Generated the keys.
          All went successfully.
          I can't explain why the odd 1051 directory name?

          Comment

          • #6
            Stop the presses!

            Turns out you can't use a name longer than 8 characters. Which my nominated usrprf was.

            Comment

            • #7
              Yeah, I was going to say... based on the error message, its probably that the profile is longer than 8 characters.

              you say that you "can't" use one longer than that, but... actually you can. It's just disabled by default.

              The reason for this is that AIX only supports 8 character userids, and therefore it's possible that code written explicitly for AIX would malfunction if you gave it a userid longer than 8 characters, after all programs think they can trust the OS, so might copy the whole userid without verifying its length, potentially resulting in a buffer overflow. But, this is really only true if you're using software that was written for AIX specificially.

              OpenSSH was not written for AIX originally, it was written for and tested on many flavors of Unix, including BSD, Linux, MacOS, etc, etc. Since most (if not all) of these environments allow longer userids (much longer than 10 characters, even, in some cases) this won't be a problem with OpenSSH. Therefore, if you are only using PASE for OpenSSH, you can safely turn off the 8 character limitation and make it work with your full 10 character profile names.

              To do that, you'd want to run the followng command (you may have to sign off and back on again to pick up the change)
              Code:
              [B]ADDENVVAR ENVVAR(PASE_USRGRP_LIMITED) VALUE('N') LEVEL(*SYS[/B])
              That'll allow the full 10 character userids, the only caveat is if you use software designed explicitly for AIX that doesn't check the userid length (as explained above) you could run into problems. (IMHO, this would be poorly written software, and basically unheard of in the case of open source, since open source is almost always tested on Linux.)

              Comment

              • WilliamTasker
                #7.1
                WilliamTasker commented
                June 21, 2018, 03:20 AM
                Editing a comment
                Thank you. That's very helpful. It'll allow me to use my first choice user profile.

                Definitely only using OpenSSH, so I'm sure I'll be OK.
            Previous template Next
            Working...
            X