AnsweredAssumed Answered

IBM iSeries integration help

Question asked by Marinos Roussos on Nov 6, 2017
Latest reply on Nov 7, 2017 by Anthony Caezza

RSA stopped supporting FTP connections with iSeries but failed to update their documentation with the steps for SFTP.

 

This is a document from IBM which describes some of the steps for the key exchange: http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710

 

I have been making a couple of tests to understand what is going on.

 

sftp is the standard sftp user on the Collector

ISERIESFTP is the legacy FTP user on the Collector that was previously used for iSeries and has different permissions than sftp user.

 

The initial challenge was that iSeries does not support sftp client with password authentication. So the “sftp collector-ip” command for caching the keys would not work.

 

IBM suggests to use the command bellow for the key caching

 

ssh -T serveruid@somehost

 

These are the steps performed on iSeries side:

*****

ssh-keygen -t rsa -N ""                                                             

Generating public/private rsa key pair.                                              

Enter file in which to save the key (/home/CAFGSECADM/.ssh/id_rsa):                 

                                                                                     

Created directory '/home/CAFGSECADM/.ssh'.                                           

Your identification has been saved in /home/CAFGSECADM/.ssh/id_rsa.                 

Your public key has been saved in /home/CAFGSECADM/.ssh/id_rsa.pub.                 

The key fingerprint is:                                                              

2d:87:7c:55:45:1c:a4:53:0d:60:ea:76:40:b3:c9:3e cafgsecadm@blabla.123.co.uk  

 

*****

 

Key is on both of these directories on the target (VLC):

 

/home/upload/.ssh/authorized_keys

/upload/.ssh/authorized_keys

 

 

*****

 

ssh -t ISERIESFTP@10.160.x.x                                   

ISERIESFTP@10.160.x.x's password: tcgetattr: Invalid argument  

Last login: Thu Oct 19 15:29:42 2017 from 10.160.x.y            

[ISERIESFTP@Collector1 ~]$                                         

 

*****

 

 

ssh -T sftp@10.160.x.x                   

This service allows sftp connections only.  

 

 

*****

$

sftp sftp@10.160.x.x

Connected to 10.160.x.x ...

sftp>

 

 

So at this stage you can see that we are getting an sftp prompt on iSeries without been prompted for a password (which means that public-key authentication works).

 

Then we try to run the script again with user sftp that we now know it should work:

 

OpenSSH_6.6, OpenSSL 1.0.1p 9 Jul 2015

debug1: Reading configuration data /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-4.7p1/etc/ssh_config

debug1: Connecting to 10.160.x.x [10.160.x.x] port 22.

debug1: Connection established.

debug1: identity file /home/CAFGSECADM/.ssh/id_rsa type 1

debug1: identity file /home/CAFGSECADM/.ssh/id_rsa-cert type -1

debug1: identity file /home/CAFGSECADM/.ssh/id_dsa type -1

debug1: identity file /home/CAFGSECADM/.ssh/id_dsa-cert type -1

debug1: identity file /home/CAFGSECADM/.ssh/id_ecdsa type -1

debug1: identity file /home/CAFGSECADM/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/CAFGSECADM/.ssh/id_ed25519 type -1

debug1: identity file /home/CAFGSECADM/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-sha1 none

debug1: kex: client->server aes128-ctr hmac-sha1 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA 52:9a:14:f3:3a:05:eb:a3:3c:1d:10:fe:b6:13:a7:58

debug1: Host '10.160.x.x is known and matches the RSA host key.

debug1: Found key in /home/CAFGSECADM/.ssh/known_hosts:1

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/CAFGSECADM/.ssh/id_rsa

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Trying private key: /home/CAFGSECADM/.ssh/id_dsa

debug1: Trying private key: /home/CAFGSECADM/.ssh/id_ecdsa

debug1: Trying private key: /home/CAFGSECADM/.ssh/id_ed25519

debug1: No more authentication methods to try.

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Connection closed

 

I understand that the key is read and accepted but then fails to be used. What could be the reason? Could it be some 

 

 

Any help would be appreciated

Thanks

Marinos 

Outcomes