Re: Secured ftp from Unix to VMS cluster (372 Views)
Reply
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 1 of 20 (372 Views)

Secured ftp from Unix to VMS cluster

I am trying to setup the secured ftp from Unix to VMS cluster machine. As a part of this I am running the below command to copy the public key file from Unix to VMS cluster. But it is not copying the file and everytime it is asking for the password.

scp file.pub "sftpuser@xxx.xxx.com"
Enter sftpuser password:
Permission denied, please try again.

Even though I am entering correct password it is not allowing me to copy this on VMS cluster.

Same thing I am able to do on development machine where I have single machine (without cluster).

I don't know what is the problem here.

Could you please anybody help me to find out the problem.

I am able to login to VMS cluster sftpuser account using telnet.

Thanks,
Chand
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,084
Registered: ‎02-23-2005
Message 2 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

Does "ssh" to the VMS host work? (Is this a
general authentication problem, or, perhaps,
a file permission problem?)

Does "scp -v" tell you anything?

Does adding a destination file name
("sftpuser@xxx.xxx.com:file.pub", or even
"sftpuser@xxx.xxx.com:") help?

Does "sftpuser" have permission to write this
(or any) file at the destination?
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 3 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

The correct command is
scp file.pub "sftpuser@xxx.xxx.com:ssh2/"

Sftpuser on VMS is having privilege to create the file.
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 4 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

scp -v command gives the following output
Executing: program /usr/bin/ssh host tyson1.tyson.com, user sftpuser, command s/
OpenSSH_3.8.1p1, OpenSSL 0.9.6m 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot.
0509-026 System error: A file or directory in the path name does not ex.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to tyson1.tyson.com [10.16.2.23] port 22.
debug1: Connection established.
debug1: identity file /home/sftpuser/.ssh/identity type 0
debug1: identity file /home/sftpuser/.ssh/id_rsa type -1
debug1: identity file /home/sftpuser/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 3.2.0 F-SECURE SSt
debug1: no match: 3.2.0 F-SECURE SSH - Process Software MultiNet
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The DSA host key for tyson1.tyson.com has changed,
and the key for the according IP address 10.16.2.23
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/sftpuser/.ssh/known_hosts:5
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the DSA host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
8e:f6:52:56:08:56:2d:4c:60:9d:9f:af:94:1b:83:e4.
Please contact your system administrator.
Add correct host key in /home/sftpuser/.ssh/known_hosts to get rid of this mess.
Offending key in /home/sftpuser/.ssh/known_hosts:2
DSA host key for tyson1.tyson.com has changed and you have requested strict che.
Host key verification failed.
lost connection
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 5 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

I tried to give the hostname which IP address is constant. But it is not allowing to copy the file and asking the password again and again.

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sftpuser/.ssh/id_rsa
debug1: Offering public key: /home/sftpuser/.ssh/id_dsa
debug1: Authentications that can continue: password
debug1: Next authentication method: password
sftpuser@abcde1.xxx.com's password:
debug1: Authentications that can continue: password
Permission denied, please try again.
sftpuser@abcde1.xxx.com's password:
debug1: Authentications that can continue: password
Permission denied, please try again.
sftpuser@abcde1.xxx.com's password:

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,084
Registered: ‎02-23-2005
Message 6 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

"Process Software MultiNet" is useful
information, anyway. I have HP's TCPIP, so
I can't say much about the MultiNet details.

All those complaints about bad and changed
keys ("scp -v") make it look as if this is
a general "s" authentication problem.

I'll try again. Does "ssh" to the VMS host
work?

I think that it was serious about this part:

Please contact your system administrator.
Add correct host key in /home/sftpuser/.ssh/known_hosts to get rid of this mess.
Please use plain text.
Honored Contributor
Richard Whalen
Posts: 341
Registered: ‎09-30-2005
Message 7 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

I think that the "answer" to the problem is contained in the text below:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@
The DSA host key for tyson1.tyson.com has changed,
and the key for the according IP address 10.16.2.23
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/sftpuser/.ssh/known_hosts:5
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the DSA host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
8e:f6:52:56:08:56:2d:4c:60:9d:9f:af:94:1b:83:e4.
Please contact your system administrator.
Add correct host key in /home/sftpuser/.ssh/known_hosts to get rid of this mess.
Offending key in /home/sftpuser/.ssh/known_hosts:2
DSA host key for tyson1.tyson.com has changed and you have requested strict che.
Host key verification failed.


Basically this is saying that the host key for the remote system is different than it was the last time, and the configuration on the client system is such that it will not allow a connection when it is different.
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 8 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

I know that the hostname which I was using is getting changed and assigning to one of the VMS cluster machine. So I was getting the DNS snoofing message.

Later I tried to copy the file using the one of the VMS machine hostname but got the same prompt enter password again and again.

For ssh hostname also getting same prompt(Enter password) again and again. Though I am entering the correct password it is not allowing me to login

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,084
Registered: ‎02-23-2005
Message 9 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

Ok, if "ssh" fails just like "scp", then
it's a general "s" authorization problem.

The MultiNet software is trying to tell you
how to fix it:

The DSA host key for tyson1.tyson.com has changed, [...]

Add correct host key in /home/sftpuser/.ssh/known_hosts to get rid of this mess.
Offending key in /home/sftpuser/.ssh/known_hosts:2

I don't know enough to tell you what's wrong
there, but it might be simplest to delete
any lines in files (or whole files) related
to the host(s) with the problems.

It's possible that the "ssh" software will
then copy the new, correct host data over
automatically, the next time you try to
log in ("ssh"). In this case, having no
data is better than having wrong data. You
need to remove the wrong data (and get some
right data).
Please use plain text.
Honored Contributor
Richard Whalen
Posts: 341
Registered: ‎09-30-2005
Message 10 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

It's also possible that the server system has marked the username as an intruder.

Can you try a different username (after fixing the problem with the keys).
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 11 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

I tried with different username also and the result is same.

I tried to run ssh command from VMS to VMS cluster machine. Here also it is asking password again and again. Looks like there should be some setup we need to do for VMS cluster machine.
Please use plain text.
Regular Advisor
Zeni B. Schleter
Posts: 108
Registered: ‎05-20-2003
Message 12 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

Make sure that the intrusion database is clear. Both old and new.
$ Show Intrusion
$ Show Intrusion/old

You may also need to check the account that is your destination is still enabled.

This is not the source of your problem but during my efforts trying to figure the ways of SSH2 , I have been caught by this secondary problem.

The configuration is controlled by MULTINET_ROOT:[MULTINET.SSH2]SSHD2_CONFIG.
If the IP name or number changed, a new host key may have to be created by the system manager. Seems like that was an obvious error , though.
Please use plain text.
Respected Contributor
Thomas Ritter
Posts: 414
Registered: ‎03-30-2005
Message 13 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

We do not allow direct FTP access to any of our VMS hosts. Our approach is to use a dedicated FTP server, in our case an ALPHA DS10. All the FTP usage is to this highly security configured DS10. The other VMS hosts use DECNET to access the VMS FTP server. So VMS to VMS is only DECNET. This is an approach that can be made very secure and is praised by auditors. Think about how each DECNET can make copy and find files easy for applications.


Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,084
Registered: ‎02-23-2005
Message 14 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

> Add correct host key in /home/sftpuser/.ssh/known_hosts to get rid of this mess.

> Can you try a different username
> (after fixing the problem with the keys).
============================================

Perhaps you should take the hint(s) and fix
the problem with the keys.
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 15 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

Added correct hostkey and also tried with different username..but still problem exists
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,084
Registered: ‎02-23-2005
Message 16 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

If you're getting the same error messages
complaining about the host keys, then I think
that there may still be a problem with the host keys.

If you're getting any different error
messages, then you may wish to share them with
us.
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 17 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

I am not getting any error message.
It is prompting for enter password again and again
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,084
Registered: ‎02-23-2005
Message 18 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

> I am not getting any error message.

Remember this stuff?:

> scp -v command gives the following output
> [...]

I consider this to be error message:

Add correct host key in /home/sftpuser/.ssh/known_hosts to get rid of this mess.
Offending key in /home/sftpuser/.ssh/known_hosts:2
DSA host key for tyson1.tyson.com has changed and you have requested strict che.
Host key verification failed.


What would you call it?
Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 19 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

I ran scp -v command with different hostname. There is no error message. It is just asking password again and again

Please use plain text.
Advisor
Chand Basha
Posts: 14
Registered: ‎12-14-2005
Message 20 of 20 (372 Views)

Re: Secured ftp from Unix to VMS cluster

Created new thread
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation