The first time you connect to an SSH server it asks you to validate their
host key (sftp is just a special use of an SSH server). This validates
that the server is who you think it is. Once you've accepted the key
fingerprint, it will be saved in /home/user/.ssh/known_hosts and you won't
get asked again.
The problem is that when using sftp from QSH/QP2TERM there is no way for
it to ask you to validate the key (since there's no TTY environment) and
so it doesn't even try and just says that it can't validate it ("Host key
verification failed").
You have a couple options to fix it:
- request the host key fingerprint from your partner and add it to
/home/user/.ssh/known_hosts manually. The fingerprint will look something
like:
example.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEApkxN82QhSqYFD... (this
string is usually really long)
You need to ensure that the file is in ASCII and uses Unix line endings
(LF, not CRLF).
- connect once with ssh instead of sftp and accept the fingerprint:
ssh -T example.com
The authenticity of host 'example.com (9.5.67.117)' can't be established.
ECDSA key fingerprint is
SHA256:5BYrcHeU+0QXkDqor8bfH+M7AbZz4a33ViCbE6G906M.
Are you sure you want to continue connecting (yes/no)?
Once you say yes, it will be stored in /home/user/.ssh/known_hosts. Note
that you don't actually have to succeed in connecting, just answer yes to
the prompt.
- use ssh-keyscan to automatically add the fingerprints to
/home/user/.ssh/known_hosts:
ssh-keyscan example.com >> /home/user/.ssh/known_hosts
Note that you should run these commands from QP2TERM. When run from QSH,
it will not be able to find the commands unless you add /QOpenSys/usr/bin
to the $PATH environment variable. Also, you could end up with EBCDIC data
in known_hosts if it doesn't already exist, which will cause ssh to fail.
Kevin Adler
Software Development - PASE, Open Source, IBM i Access ODBC
IBM Systems, Dept 47U
Phone: +1-507-253-5111
Email: kadler@xxxxxxxxxx
015-3 C117
3605 HWY 52 N
Rochester, MN 55901-1407
United States
----- Original message -----
From: Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx>
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
To: midrange-l@xxxxxxxxxxxx
Cc:
Subject: SFTP and .openssh files
Date: Wed, Nov 7, 2018 2:27 PM
All,
I started a couple of short threads over the past couple of months
regarding SFTP from our IBM i to a vendor of ours.
They have finally given me some of the pertinent information (like the
actual test and production sites). I have successfully sent a file to
the
test site via FileZilla. When I did it with FileZilla, a window popped
up
with a checkbox for me to accept some kind of key. I should have saved
that window popup, but I did not. I have yet to receive the password
for
the production site.
I ultimately want do it from the IBM i. Earlier, Brad pointed me to
this:
[1]
https://www.scottklement.com/presentations/Setting%20up%20and%20Scripting%20the%20OpenSSH,%20SFTP%20and%20SCP%20Utilities%20on%20IBM%20i.pdf
The SFTP section was very helpful in that I now have a full script set
up
called via a CL with environment variables, etc, as Scott describes
there.
The issue is it does not connect to the test site and I get this:
Host key verification failed.
Connection closed
Press ENTER to end terminal session.
Being totally ignorant here, I relayed this info to the vendor who
replied
with:
"The prompt from FileZilla is to load the SSH key for the sFTP
connection,
which is required for port 22 (sFTP). The key resides on the *server*
(emphasis mine) and can be pulled by anyone attempting to connect once
the
IP of the server is added to our firewall. For your IBM product, it may
be
necessary to actually �load� the key. I have attached the key in
case that
is true. We also use IBM and we can either manually load the keys when
provided, or there is a way to pull off of a server during the sfTP
configuration. Filezilla just defaults to prompt for the key when you
indicate an sFTP connection (port 22)."
(I do not know if their IBM is an IBM i or a mainframe. It usually
takes
2+ days for them to reply to an email.)
They attached 2 .openssh files, one for the test site and one for the
production site.
Excuse my utter absolute ignorance on this, but what do I do with those
files? I am at the place where "I don't know what I don't know" if you
know what I mean.
Thank you.
--
Jeff Crosby
VP Information Systems
UniPro FoodService/Dilgard
P.O. Box 13369
Ft. Wayne, IN 46868-3369
260-422-7531
direct.dilgardfoods.com
The opinions expressed are my own and not necessarily the opinion of my
company. Unless I say so.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [2]
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [3]
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: [4]
https://amazon.midrange.com
References
Visible links
1.
https://www.scottklement.com/presentations/Setting%20up%20and%20Scripting%20the%20OpenSSH,%20SFTP%20and%20SCP%20Utilities%20on%20IBM%20i.pdf
2.
https://lists.midrange.com/mailman/listinfo/midrange-l
3.
https://archive.midrange.com/midrange-l
4.
https://amazon.midrange.com/
midrange.com
