If you are running ssh from 5250, it’s not going to be able to allocate a terminal because neither QSH nor QP2TERM emulate a valid Unix terminal enough. Due to this, SFTP will not be able to prompt your password so you either need to use keys or mess with SSH_ASKPASS:
https://www.ibm.com/support/pages/batch-sftp-download-example-using-password-authentication
Note that in PASE (where SSH/SFTP run), user names are lowercased. If your IBM i user profile in lower case matches your remote user name, then you don’t need to do anything different. Otherwise, you can specify it with sftp <username>@<remotehost>
SSH will automatically negotiate authentication methods. This depends on what authentication methods the server has enabled as well as what ones are enabled on the client. The server will provide a list of authentication methods that need to be performed (they can be combined, eg. password and private key).
As an aside, if you’re trying to automate sftp (especially when using passwords), you probably want to use lftp instead:
https://github.com/lavv17/lftp You can pass in the username and password via environment variable instead of only interactively and it supports a batch script file to execute. It’s much easier to work with than sftp for batch stuff. We make available lftp as part of our open source environment:
https://ibmi-oss-docs.readthedocs.io/en/latest/yum/README.html
From: OpenSource <opensource-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Arnie Flangehead <arnie.flangehead@xxxxxxxxx>
Date: Tuesday, May 28, 2024 at 12:29 AM
To: IBMi Open Source Roundtable <opensource@xxxxxxxxxxxxxxxxxx>
Subject: [EXTERNAL] Re: [IBMiOSS] Understanding SSH Key Pairs
Thanks.
Even before moving into sFTP, I'm running into problems just getting in.
I've enabled logging and it seems to fail at allocating a terminal. One of
my tutorials is a Red Book that describes setting up two IBM i machines,
one as server and the other as client, and those instructions specify to
use the -T switch to prevent the use of a terminal, but I assumed that was
just within the IBM i universe, so to speak.
My communication is with a non-IBM i. I don't know what it is but let's
assume Unix. I'm getting off on the wrong foot I think because the other
party has given a user id and password, which I've explained is no good
because we (eventually) want unattended/scripted transfer of data, but I
thought - OK - let's just use the user/password to see if I can get in.
Enabling logging it seems that key exchange has all happened OK, but then
it chokes. If I don't give a user id it assumes my IBM user profile, which
I assume is no good at the other end, so here's the end of the log when I
attempt to use a user id:
debug1: Authentication succeeded (publickey).
Authenticated to (the_ip_address)
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
tcgetattr: Invalid argument
debug1: ssh_tty_make_modes: no fd or tio
Received disconnect from (the_ip_address) port 22:7:
Disconnected from (the_ip_address) port 22
$
btw, just out of interest both of the tutorials I've got show examples with
internet-style addresses, but that didn't work for me until I got the
actual numeric IP.
I'm not actually all that surprised it didn't work, because the keys would
be associated with my IBM user profile, not the user id they gave me,
right? So the provided user/password is only going to work if I don't use
keys - is that right? Now that I've got keys it always tries to load them,
even if I don't run ssh-add.
So, do I need to ask the server person to clear everything out and add new
credentials MATCHING MY IBM-i USER ID?
--
This is the IBMi Open Source Roundtable (OpenSource) mailing list
To post a message email: OpenSource@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/opensource
or email: OpenSource-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://archive.midrange.com/opensource .
midrange.com
