AS/400 issues trying to use Expect / TCL to connect via SFTP with a password from IBM iseries i/5 with QSH -oPort, etc.

Hello all,
    I am having issues getting connected to an SFTP server using our AS/400, I keep getting the error of :

Permission denied, please try again.                        
Permission denied, please try again.                        
Permission denied (publickey,password,keyboard-interactive).
Connection closed                                            

I tried installing Expect / TCL, following this guide . I installed our private key using ssh-add in my ~/user/.ssh directory, which said it was successful. I am told they were installed properly on the receiving end and added to authorized_keys.

I am not sure if I am missing something though. My connection string looks as follows.

sftp -oPort=10022, I also tried sftp -oPort=10022

I then tried to make a script similar to examples that I saw that look like the following  which I found the example script here :,%20SFTP%20and%20SCP%20Utilities%20on%20IBM%20i.pdf

#!/usr/local/bin/expect -f
set timeout 20
spawn sftp
expect {
default {exit 2}
"continue connecting (yes/no)?" {send "yes\n"; exp_continue}
"assword:" {send "$env(PASSWORD)\n"; exp_continue}

Open in new window

This gives the error of :

./ 001-0019 Error found searching for command spawn. No such path or directory.           
./ 001-0019 Error found searching for command expect. No such path or directory.          
./ 001-0019 Error found searching for command default. No such path or directory.         
./ 001-0014 Command continue connecting (yes/no)? not found.                              
./ 001-0019 Error found searching for command exp_continue}. No such path or directory.   
./ 001-0019 Error found searching for command assword:. No such path or directory.        
./ 001-0019 Error found searching for command exp_continue}. No such path or directory.   
./ 001-0019 Error found searching for command sftp>. No such path or directory.           
./ 001-0050 Syntax error on line 9: token "}" not expected.                               

Open in new window

Did I do something wrong with Expect, or do I have to do something specific to actually start the application? If anyone has some insight, I would grearly appreciate it.
MostHatedIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From error messages, it seems you have issue with expect installation or env. variables, etc

try to uninstall ans install expect again.

You may also try using autoexpect to create script and see if it works. Below link is example of how to use autoexpect:
MostHatedIT ManagerAuthor Commented:
It could be that I may just have not properly installed or started Expect tool. I extracted it, it is located in /usr/bin/local. Am I missing something to actually fire it up aside from calling it in the beginning line of a script? It looks like the Expect Tool is just not working properly for some reason? If I go to its location and just try to ./expect, I get Syntax error on line 1: token ")" not expected.
Gary PattersonVP Technology / Senior Consultant Commented:
sftp automation is intended to be implemented using public key authentication.   This should be your goal, and you should push back on trading partners that want to use password authentication since it is less secure.

Looks like from the error message, the remote server is configured for publickey (and password, and keyboard interactive) and is failing all three.

Talk to the remote system administrator and ask if you can use publickey.  If you can, then you don't need Expect, and you don't have to hardcode a password in a login script.  You just generate a public key / private key pair on your system, send the public key to the remote system admin, who will install it, and then pull down his private key and put it in your known hosts file.

Process is pretty simple, and IBM outlines it in detail here:

If publickey isn't an alternative, then if you want to automate login, you'll need to use keyboard-interactive, and that requires Expect.  We can talk about that more if publickey isn't an option.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Gary PattersonVP Technology / Senior Consultant Commented:
Privatekey is easy once you've set it up, and never requires a password, since you have a private/public keypair that can be used to verify your identity.

You really only need Expect if you have to simulate entering a manual password.

Since you are exchanging keys with your trading partner, Expect is completely unnecessary- so focus on getting privatekey to work.  

If after following the instructions in the IBM article I provided above you still have trouble, then use the -vvv option on the sftp command to generate verbose debugging output and post it here after going through it carefully and hiding any confidential information like IP addresses and user names.
MostHatedIT ManagerAuthor Commented:
I appreciate the replies. I definitely am hoping they will  do the key pair setup, I already did those steps and sent the public key to them last week (It is a large international EDI Van provider) but have not heard back yet if they are willing to install the key for me and let me use it, which is why I have been trying to go the Expect route. I am not sure if they are willing to change their typical process / setup that they use just for us.
Gary PattersonVP Technology / Senior Consultant Commented:
Who is the VAN?  I can probably tell you if they support public key.  Their support people really shouldn't have to make an exception - it should be the standard way these are set up.

- Gary
MostHatedIT ManagerAuthor Commented:
It is SPS Commerce. They had just sent us the Username, Password, and connection URL with a port number.
MostHatedIT ManagerAuthor Commented:
I think I see what may be part of the issue, I tried to ./configure in the expect folder and it said the below. Though I had downloaded a precompiled one before, but it was only version 5.43, and not 5.45.

 checking for correct TEA configuration... ok (TEA 3.9)               
 configure: configuring expect 5.45                                   
 checking for Tcl configuration... found /usr/local/lib/  
 checking for existence of /usr/local/lib/ loading     
 configure: --prefix defaulting to TCL_PREFIX /usr/local              
 configure: --exec-prefix defaulting to TCL_EXEC_PREFIX /usr/local    
 checking for gcc... no                                               
 checking for cc... no                                                
 checking for cc... no                                                
 checking for cl... no                                                
 configure: error: no acceptable C compiler found in $PATH            
 See `config.log' for more details.                                   

Open in new window

Gary PattersonVP Technology / Senior Consultant Commented:
Yes, from above, it is clear that Expect isn't properly installed.  If they just gave you user id password and URL, then you'll probably need to go the Expect route.  Suggested route:

1) Get Expect it installed properly.
2) Verify that you can log on interactively from PASE:

Start the ssh server on your IBM i (STRTCPSVR *sshd) if it isn't already running
Use Putty or your favorite terminal tool to log onto your IBM i using ssh.
This will drop you right into PASE.
Enter the command: sftp -oPort=10022
You should be prompted for password.  Enter it and verify that you can connect using the supplied password.  If you can't connect, contact your vendor to make sure the ID hasn't been disabled or to request a password reset.  Again use the -vvv option to collect a log and post it if you continue to have problems.  No point fooling with Expect until you know you can log in.

3) Once you can log on manually, then proceed with Scott's login script, bearing in mind that prompts can vary a bit from server to server, and you may need to tweak the script a bit.

Logging in from call qp2term (PASE) or qsh can be tricky, since ssh doesn't always recognize a 5250 session as "interactive", so it can choke on keyboard interactive authentication method and not even offer it.

Use the ssh workaround I explained above to connect to the IBM i via Putty and get a much better interactive session than what you get in the tn5250 environment.

- Gary

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MostHatedIT ManagerAuthor Commented:
I have been using that connection string to try and connect, that was what was giving the originally posted error.

Though I have been connecting into the as400 using the i navigators emulation terminal and then typing in QSH to get to a command line once logged in to our VAI application. I will give what you mentioned a go.

** Edit -- What you just mentioned to do worked, I was able to login and I get an sftp>  prompt now.

Edit again. I am getting closer, but putty keeps closing once it tries to connect with the sftp string and then get to the expect { } parts too fast for me to see what it says, is there a way to force it to stay opened?

** Edit once more lol. While I was working on getting the script working, they added my public key for me, so now everything is working great using just the keypairs. : D I appreciate all the help, the knowledge will still come in handy down the road I am sure, and I am sure this will help out some fellas down the line. Enabling SSH and doing it from putty seems to have been the majority of the issue.
Gary PattersonVP Technology / Senior Consultant Commented:
Lol.  Happy you got something working!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IBM System i

From novice to tech pro — start learning today.