Re: "FOTS1346 Permission denied, please try again"

Kirk:

We were successful using our Test Userid using SSH_ASKPASS along with the
"-b" option.

We have "BatchMode no" in our custom ssh_config file.


-vvv log contents:

OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /u/home/lsasso/.ssh/PConfg
debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to 216.115.171.196 Ý216.115.171.196¨ port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /u/home/lsasso/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /u/home/lsasso/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /u/home/lsasso/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /u/home/lsasso/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version 6.0.3.9 SSH
Tectia Server
debug1: no match: 6.0.3.9 SSH Tectia Server
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,ae
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,ae
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit:
aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,seed-cbc@xxxxxxx,crypticore128@xxxxxxx
debug2: kex_parse_kexinit:
aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,seed-cbc@xxxxxxx,crypticore128@xxxxxxx
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,crypticore-mac@xxxxxxx
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,crypticore-mac@xxxxxxx
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 134/256
debug2: bits set: 518/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /u/home/lsasso/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '216.115.171.196' is known and matches the RSA host key.
debug1: Found key in /u/home/lsasso/.ssh/known_hosts:1
debug2: bits set: 513/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /u/home/lsasso/.ssh/id_rsa (19b40098)
debug2: key: /u/home/lsasso/.ssh/id_dsa (19b400f8)
debug1: Authentications that can continue:
gssapi-with-mic,password,publickey,keyboard-interactive
debug3: start over, passed a different list
gssapi-with-mic,password,publickey,keyboard-interactive
debug3: preferred password
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,password,publickey,keyboard-interactive
FOTS1346 Permission denied, please try again.
debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,password,publickey,keyboard-interactive
FOTS1346 Permission denied, please try again.
debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue:
gssapi-with-mic,publickey,keyboard-interactive
debug3: start over, passed a different list
gssapi-with-mic,publickey,keyboard-interactive
debug3: preferred password
debug1: No more authentication methods to try.
FOTS1373 Permission denied
(gssapi-with-mic,publickey,keyboard-interactive).
FOTS0841 Connection closed






Thank You.

Len Sasso



RDC Operations - Systems Administrator
CSC
Information Technology Infrastructure Services (ITIS)
| p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | lsasso@xxxxxxx |
www.csc.com

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.



From:
Kirk Wolf <kirk@xxxxxxxxxxxx>
To:
IBM-MAIN@xxxxxxxxxxx
Date:
11/30/2010 04:52 PM
Subject:
Re: "FOTS1346 Permission denied, please try again"



Leonard,

Were you successful using your test userid using SSH_ASKPASS along with
the
"-b" option?
If you have your askpass script write something to stderr, you may find
that
it is not being called.

This is because the "-b file" switch enables "-oBatchMode=yes", which
disables SSH_ASKPASS.

But if you do have "BatchMode yes" in your custom ssh_config file, then it
could be something else. I would need to see the -vvv log to make any
more
guesses :-)

Regards,

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

PS> Here is some sample JCL that we include with (free) Co:Z SFTP that
solves this problem:

//RUNSFTP EXEC PGM=COZBATCH (BPXBATCH replacement)
//STDIN DD *

# Customize these ...
coz_bin="/opt/dovetail/coz/bin"
remoteuser="uid"
server="remote.host.name"
servercp="ISO8859-1"
remotefile="/path/to/file"

# These can be used to read the ssh password from a (secured) dataset
# if you don't want to setup public/private keypairs
export PASSWD_DSN='//COZUSER.PASSWD(SITE1)'
export SSH_ASKPASS=$coz_bin/read_passwd_dsn.sh
export DISPLAY=none

ssh_opts="-oBatchMode=no" # allows ssh to use SSH_ASKPASS program
ssh_opts="$ssh_opts -oConnectTimeout=60"
ssh_opts="$ssh_opts -oServerAliveInterval=60"
ssh_opts="$ssh_opts -oStrictHostKeyChecking=no" # accept initial host keys

# Invoke the Co:Z sftp client with an in-line batch of commands
# that downloads a remote file to a local DD.
# Note that "-oBatchMode=no" must be specified before "-b"
# since ssh opts are first-sticky

$coz_bin/cozsftp $ssh_opts -b- $remoteuser@$server <<EOB
lzopts mode=text,servercp=$servercp
get $remotefile //DD:DOWNLOAD
EOB

//DOWNLOAD DD DSN=&&DOWNLOAD,DISP=(NEW,DELETE),
// DCB=(...),SPACE=(...)
//


On Tue, Nov 30, 2010 at 3:32 PM, Leonard Sasso <lsasso@xxxxxxx> wrote:

Does the production RACF id have an OMVS segment? Yes
Does it have a HOME subdirectory? Yes
Is there a .ssh subdirectory in the $HOME for this user? Yes
Is the UNIX filemode for .ssh subdirectory set to 700 or 600? Set to
770
Are the files in the .ssh subdirectory all set to filemode 600? Set to
600 or 644 or 777
Is .ssh and all its files owned by the production RACF id? Yes


JCL:

//SASSCAQP JOB OPS,'SFTP TESTING',CLASS=1,MSGCLASS=X,USER=LSASSO,
// NOTIFY=LSASSO
/*JOBPARM S=TST1
//*
//SFTP EXEC PGM=BPXBATCH,REGION=0M,
// PARM=('sh sftp -vvv -F /u/home/lsasso/.ssh/config -b /u/home/lsasso/
// cmd.txt NYMedicaid534@xxxxxxxxxxxxxxxx')
//*
//STDOUT DD SYSOUT=*,LRECL=132,RECFM=F
//STDERR DD SYSOUT=*,LRECL=132,RECFM=F
//STDENV DD *
DISPLAY=FOO
SSH_ASKPASS=/u/home/lsasso/askpass.sh
//*



Thank You.

Len Sasso



RDC Operations - Systems Administrator
CSC
Information Technology Infrastructure Services (ITIS)
| p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 | lsasso@xxxxxxx |
www.csc.com

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC
to
any order or other contract unless pursuant to explicit written
agreement
or government initiative expressly permitting the use of e-mail for such
purpose.



From:
"McKown, John" <John.McKown@xxxxxxxxxxxxxxxxx>
To:
IBM-MAIN@xxxxxxxxxxx
Date:
11/30/2010 04:13 PM
Subject:
Re: "FOTS1346 Permission denied, please try again"



It might be easier to see if you'd post the JCL and SYSIN type input for
the failing step. Does the production RACF id have an OMVS segment? Does
it have a HOME subdirectory? Is there a .ssh subdirectory in the $HOME
for
this user? Is the UNIX filemode for .ssh subdirectory set to 700 or 600?
Are the files in the .ssh subdirectory all set to filemode 600? Is .ssh
and all its files owned by the production RACF id? Just some questions.

--
John McKown
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone *
john.mckown@xxxxxxxxxxxxxxxxx * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or
proprietary information. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the
original
message. HealthMarkets(r) is the brand name for products underwritten
and
issued by the insurance subsidiaries of HealthMarkets, Inc. -The
Chesapeake Life Insurance Company(r), Mid-West National Life Insurance
Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM



-----Original Message-----
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@xxxxxxxxxxx] On Behalf Of Leonard Sasso
Sent: Tuesday, November 30, 2010 2:59 PM
To: IBM-MAIN@xxxxxxxxxxx
Subject: "FOTS1346 Permission denied, please try again"

Our Mainframe Batch job is successful using a Test Userid and
Password to
SSH to a remote host using password authentication (via
askpass). When we
try the same job with the Production Userid and Password, we
receive the
following error: "FOTS1346 Permission denied, please try again". This
causes user authentication to fail. The SSH client then
eventually fails
with the error: "FOTS1373 Permission denied
(publickey,password,keyboard-interactive)".

Per the IBM Ported Tools for z/OS User's Guide (page 111 - # 22):

"Verify that you are not trying to use ssh while switched to
another user
ID. In other words, did you issue ssh after the su command?
The original
controlling terminal (displayed by the tty command) is owned
by the user
ID originally logged in. Your target user may not have
permission to read
from it."

We are not issuing the "su" command (what is the "su" command)?

Any help would be appreciated.


Thank You.

Len Sasso



RDC Operations - Systems Administrator
CSC
Information Technology Infrastructure Services (ITIS)
| p: 518.257-4209 | m: 518.894-0879 | f: 518.257-4300 |
lsasso@xxxxxxx |
www.csc.com

This is a PRIVATE message. If you are not the intended
recipient, please
delete without copying and kindly advise us by e-mail of the
mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to
any order or other contract unless pursuant to explicit
written agreement
or government initiative expressly permitting the use of
e-mail for such
purpose.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

.

Relevant Pages