Re: Using ssh and scp from QShell and/or PASE?

Jack, this is wrong. We have specific code in the 5733-SC1 version of
OpenSSH to handle the QSH/QP2TERM case to read the password. You can see
it here:
[1]https://github.com/kadler/openssh-patches/blob/6.9-sc1/any/010_openbsd-compat-readpassphrase.c.patch#L35-L46

In fact we can see that it knows it's in a 5250 and didn't error out on
the password prompt, since it print out "readpassphrase: not a 5250 return
ENOTTY" .


Let's look at the relevant part of the log:

> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> debug1: read_passphrase: can't open /dev/tty: No such device or
address
> debug2: readpassphrase: turning 5250 echo off
> foo@xxxxxxxxxxx's password: debug2: readpassphrase: turning 5250 echo
previous
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue:
publickey,password,keyboard-interactive
> Permission denied, please try again.


So we detected we're in a 5250 and disabled echo, prompted for the
password, sent the password packet, and got a permission denied.

James, to me this would indicate that you either typed the password
incorrectly or tried to connect as the wrong user on the server. Anoterh
possibility is, if the remote system is an IBM i system *and* the user id
is > 8 characters long you won't be able to log in (via any authentication
method) unless you set PASE_USRGRP_LIMITED=N and restart the ssh server:
[2]http://www-01.ibm.com/support/docview.wss?uid=nas8N1011847


There is an eight-character limitation on the user profiles that can
access the IBM i through SSHD. The eight-character limitation is also
placed on any group profile that the user might be a member of. If any
of the other members in a group profile have more than eight characters
in their user name, access to the system will be denied. In order to get
around the eight-character limitation, you can either create system wide
environment variable:

ADDENVVAR ENVVAR(PASE_USRGRP_LIMITED) VALUE('N') LEVEL(*SYS)





PS. Jack, the problem for scp/sftp is that they fork an ssh job under the
covers and it's STDIN/STDOUT are connected through a pipe, not the
terminal, so it has no way to ask yes/no or the password when run without
a TTY enabled.




----- Original message -----
From: Jack Woehr <jwoehr@xxxxxxxxxxxxxxxxxxxxxxxx>
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Cc:
Subject: Re: Using ssh and scp from QShell and/or PASE?
Date: Thu, Nov 22, 2018 9:15 AM

James --

If you SSH from QSH terminal you have to have keys set up. SSH can't
deal
with the QSH terminal. That's what this is about:

> debug1: read_passphrase: can't open /dev/tty: No such device or
address
> > debug2: readpassphrase: turning 5250 echo off
>

So set up a key and add it to .ssh/authorized_keys on the target
account.
If you can't do that, ssh from PASE (logged in via SSH, not QP2TERM).

On Wed, Nov 21, 2018 at 11:17 AM Diego Kesselman
<diegokesselman@xxxxxxxxx>
wrote:

> Ohh!! Sorry!
>
> When using V6R1 you can use Perzl tool to install, more manual and
kind
> of "try this AIX-ported programs on IBM i", but most of that software
> works really well, and the repository is really big.
>
>
> El 21/11/18 a las 8:51, Jim Oberholtzer escribió:
> > Yes, that LPP goes back quite some time, I was referring to the open
> source stuff now delivered into /QOpenSys/pkgs.
> >
> > --
> > Jim Oberholtzer
> > Agile Technology Architects
> >
> > -----Original Message-----
> > From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> On Behalf Of
Diego
> Kesselman
> > Sent: Wednesday, November 21, 2018 8:28 AM
> > To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> > Subject: Re: Using ssh and scp from QShell and/or PASE?
> >
> > You mea. 5733-SC1?
> > You can use even on V5R4
> >
> > El mié., 21 de nov. de 2018 07:59, Jim Oberholtzer <
> midrangel@xxxxxxxxxxxxxxxxx> escribió:
> >
> >> The code IBM has put together in the repository was compiled at
V7R2.
> >> That said, you can always try, there might parts in there that are
not
> >> depended on version. I'm guessing some of it might work.
> >>
> >>
> >> --
> >> Jim Oberholtzer
> >> Agile Technology Architects
> >>
> >> -----Original Message-----
> >> From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> On Behalf Of
James
> H.
> >> H.
> >> Lampert
> >> Sent: Tuesday, November 20, 2018 4:13 PM
> >> To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> >> Subject: Re: Using ssh and scp from QShell and/or PASE?
> >>
> >> Just out of morbid curiosity:
> >>
> >> Can I get ssh and scp on our V6 box? I see it on a number of
customer
> >> boxes that are on V7.
> >>
> >>
> >> Oh, and Diego, you asked,
> >>> sorry, I don't get what you mean by V7
> >> The operating system, of course.
> >>
> >> --
> >> JHHL
> >> --
> >> This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
> >> list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
> >> unsubscribe, or change list options,
> >> visit: [3]https://lists.midrange.com/mailman/listinfo/midrange-l
> >> or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take
> >> a moment to review the archives at
> >> [4]https://archive.midrange.com/midrange-l.
> >>
> >> Please contact support@xxxxxxxxxxxx for any subscription related
> >> questions.
> >>
> >> Help support midrange.com by shopping at amazon.com with our
affiliate
> >> link:
> >> [5]https://amazon.midrange.com
> >>
> >> --
> >> This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
> >> list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
> >> unsubscribe, or change list options,
> >> visit: [6]https://lists.midrange.com/mailman/listinfo/midrange-l
> >> or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take
> >> a moment to review the archives at
> >> [7]https://archive.midrange.com/midrange-l.
> >>
> >> Please contact support@xxxxxxxxxxxx for any subscription related
> >> questions.
> >>
> >> Help support midrange.com by shopping at amazon.com with our
affiliate
> >> link: [8]https://amazon.midrange.com
> >>
> > --
> > This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
> list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
> unsubscribe, or change list options,
> > visit: [9]https://lists.midrange.com/mailman/listinfo/midrange-l
> > or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a
> moment to review the archives at
[10]https://archive.midrange.com/midrange-l.
> >
> > Please contact support@xxxxxxxxxxxx for any subscription related
> questions.
> >
> > Help support midrange.com by shopping at amazon.com with our
affiliate
> link: [11]https://amazon.midrange.com
> >
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: [12]https://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at [13]https://archive.midrange.com/midrange-l.
>
> Please contact support@xxxxxxxxxxxx for any subscription related
> questions.
>
> Help support midrange.com by shopping at amazon.com with our affiliate
> link: [14]https://amazon.midrange.com
>

--
Absolute Performance, Inc.
12303 Airport Way, Suite 100
Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all
attachments is for the intended recipient(s) only and may contain
confidential and privileged information. If you are not the intended
recipient of this communication, any disclosure, copying further
distribution or use of this communication is prohibited. If you
received
this communication in error, please contact the sender and
delete/destroy
all copies of this communication immediately.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [15]https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [16]https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: [17]https://amazon.midrange.com




References

Visible links
1. https://github.com/kadler/openssh-patches/blob/6.9-sc1/any/010_openbsd-compat-readpassphrase.c.patch#L35-L46
2. http://www-01.ibm.com/support/docview.wss?uid=nas8N1011847
3. https://lists.midrange.com/mailman/listinfo/midrange-l
4. https://archive.midrange.com/midrange-l
5. https://amazon.midrange.com/
6. https://lists.midrange.com/mailman/listinfo/midrange-l
7. https://archive.midrange.com/midrange-l
8. https://amazon.midrange.com/
9. https://lists.midrange.com/mailman/listinfo/midrange-l
10. https://archive.midrange.com/midrange-l
11. https://amazon.midrange.com/
12. https://lists.midrange.com/mailman/listinfo/midrange-l
13. https://archive.midrange.com/midrange-l
14. https://amazon.midrange.com/
15. https://lists.midrange.com/mailman/listinfo/midrange-l
16. https://archive.midrange.com/midrange-l
17. https://amazon.midrange.com/