Solved

AS/400 issues trying to use Expect / TCL to connect via SFTP with a password from IBM iseries i/5 with QSH -oPort, etc.

Posted on 2016-10-03
11
67 Views
Last Modified: 2016-10-07
Hello all,
    I am having issues getting connected to an SFTP server using our AS/400, I keep getting the error of :

Permission denied, please try again.                        
Permission denied, please try again.                        
Permission denied (publickey,password,keyboard-interactive).
Connection closed                                            

I tried installing Expect / TCL, following this guide http://www.scottklement.com/expect/ . I installed our private key using ssh-add in my ~/user/.ssh directory, which said it was successful. I am told they were installed properly on the receiving end and added to authorized_keys.

I am not sure if I am missing something though. My connection string looks as follows.

sftp -oPort=10022 username@sftp.domain.com, I also tried sftp -oPort=10022 username:password@sftp.domain.com

I then tried to make a script similar to examples that I saw that look like the following  which I found the example script here :

http://www.scottklement.com/presentations/Setting%20up%20and%20Scripting%20the%20OpenSSH,%20SFTP%20and%20SCP%20Utilities%20on%20IBM%20i.pdf

#!/usr/local/bin/expect -f
set timeout 20
spawn sftp username@sftp.domain.com
expect {
default {exit 2}
"continue connecting (yes/no)?" {send "yes\n"; exp_continue}
"assword:" {send "$env(PASSWORD)\n"; exp_continue}
"sftp>"
}

Open in new window


This gives the error of :

$                                                                                                    
./connect.sh                                                                                         
./connect.sh: 001-0019 Error found searching for command spawn. No such path or directory.           
./connect.sh: 001-0019 Error found searching for command expect. No such path or directory.          
./connect.sh: 001-0019 Error found searching for command default. No such path or directory.         
./connect.sh: 001-0014 Command continue connecting (yes/no)? not found.                              
./connect.sh: 001-0019 Error found searching for command exp_continue}. No such path or directory.   
./connect.sh: 001-0019 Error found searching for command assword:. No such path or directory.        
./connect.sh: 001-0019 Error found searching for command exp_continue}. No such path or directory.   
./connect.sh: 001-0019 Error found searching for command sftp>. No such path or directory.           
./connect.sh: 001-0050 Syntax error on line 9: token "}" not expected.                               

Open in new window


Did I do something wrong with Expect, or do I have to do something specific to actually start the application? If anyone has some insight, I would grearly appreciate it.
0
Comment
Question by:MostHated
  • 5
  • 5
11 Comments
 
LVL 40

Assisted Solution

by:omarfarid
omarfarid earned 250 total points
ID: 41826542
From error messages, it seems you have issue with expect installation or env. variables, etc

try to uninstall ans install expect again.

You may also try using autoexpect to create script and see if it works. Below link is example of how to use autoexpect:

http://expect.sourceforge.net/example/autoexpect.man.html
0
 
LVL 1

Author Comment

by:MostHated
ID: 41826649
It could be that I may just have not properly installed or started Expect tool. I extracted it, it is located in /usr/bin/local. Am I missing something to actually fire it up aside from calling it in the beginning line of a script? It looks like the Expect Tool is just not working properly for some reason? If I go to its location and just try to ./expect, I get Syntax error on line 1: token ")" not expected.
0
 
LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 41826726
sftp automation is intended to be implemented using public key authentication.   This should be your goal, and you should push back on trading partners that want to use password authentication since it is less secure.

Looks like from the error message, the remote server is configured for publickey (and password, and keyboard interactive) and is failing all three.

Talk to the remote system administrator and ask if you can use publickey.  If you can, then you don't need Expect, and you don't have to hardcode a password in a login script.  You just generate a public key / private key pair on your system, send the public key to the remote system admin, who will install it, and then pull down his private key and put it in your known hosts file.

Process is pretty simple, and IBM outlines it in detail here:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710

If publickey isn't an alternative, then if you want to automate login, you'll need to use keyboard-interactive, and that requires Expect.  We can talk about that more if publickey isn't an option.
0
 
LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 41826737
Privatekey is easy once you've set it up, and never requires a password, since you have a private/public keypair that can be used to verify your identity.

You really only need Expect if you have to simulate entering a manual password.

Since you are exchanging keys with your trading partner, Expect is completely unnecessary- so focus on getting privatekey to work.  

If after following the instructions in the IBM article I provided above you still have trouble, then use the -vvv option on the sftp command to generate verbose debugging output and post it here after going through it carefully and hiding any confidential information like IP addresses and user names.
0
 
LVL 1

Author Comment

by:MostHated
ID: 41826748
I appreciate the replies. I definitely am hoping they will  do the key pair setup, I already did those steps and sent the public key to them last week (It is a large international EDI Van provider) but have not heard back yet if they are willing to install the key for me and let me use it, which is why I have been trying to go the Expect route. I am not sure if they are willing to change their typical process / setup that they use just for us.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 41826762
Who is the VAN?  I can probably tell you if they support public key.  Their support people really shouldn't have to make an exception - it should be the standard way these are set up.

- Gary
0
 
LVL 1

Author Comment

by:MostHated
ID: 41826764
It is SPS Commerce. They had just sent us the Username, Password, and connection URL with a port number.
0
 
LVL 1

Author Comment

by:MostHated
ID: 41826774
I think I see what may be part of the issue, I tried to ./configure in the expect folder and it said the below. Though I had downloaded a precompiled one before, but it was only version 5.43, and not 5.45.

 ./configure                                                          
 checking for correct TEA configuration... ok (TEA 3.9)               
 configure: configuring expect 5.45                                   
 checking for Tcl configuration... found /usr/local/lib/tclConfig.sh  
 checking for existence of /usr/local/lib/tclConfig.sh... loading     
 configure: --prefix defaulting to TCL_PREFIX /usr/local              
 configure: --exec-prefix defaulting to TCL_EXEC_PREFIX /usr/local    
 checking for gcc... no                                               
 checking for cc... no                                                
 checking for cc... no                                                
 checking for cl... no                                                
 configure: error: no acceptable C compiler found in $PATH            
 See `config.log' for more details.                                   
 $                                                                    

Open in new window

0
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 250 total points
ID: 41826793
Yes, from above, it is clear that Expect isn't properly installed.  If they just gave you user id password and URL, then you'll probably need to go the Expect route.  Suggested route:

1) Get Expect it installed properly.
2) Verify that you can log on interactively from PASE:

Start the ssh server on your IBM i (STRTCPSVR *sshd) if it isn't already running
Use Putty or your favorite terminal tool to log onto your IBM i using ssh.
This will drop you right into PASE.
Enter the command: sftp -oPort=10022 username@sftp.domain.com
You should be prompted for password.  Enter it and verify that you can connect using the supplied password.  If you can't connect, contact your vendor to make sure the ID hasn't been disabled or to request a password reset.  Again use the -vvv option to collect a log and post it if you continue to have problems.  No point fooling with Expect until you know you can log in.

3) Once you can log on manually, then proceed with Scott's login script, bearing in mind that prompts can vary a bit from server to server, and you may need to tweak the script a bit.

Logging in from call qp2term (PASE) or qsh can be tricky, since ssh doesn't always recognize a 5250 session as "interactive", so it can choke on keyboard interactive authentication method and not even offer it.

Use the ssh workaround I explained above to connect to the IBM i via Putty and get a much better interactive session than what you get in the tn5250 environment.

- Gary
0
 
LVL 1

Author Comment

by:MostHated
ID: 41826884
I have been using that connection string to try and connect, that was what was giving the originally posted error.

Though I have been connecting into the as400 using the i navigators emulation terminal and then typing in QSH to get to a command line once logged in to our VAI application. I will give what you mentioned a go.

** Edit -- What you just mentioned to do worked, I was able to login and I get an sftp>  prompt now.

Edit again. I am getting closer, but putty keeps closing once it tries to connect with the sftp string and then get to the expect { } parts too fast for me to see what it says, is there a way to force it to stay opened?

** Edit once more lol. While I was working on getting the script working, they added my public key for me, so now everything is working great using just the keypairs. : D I appreciate all the help, the knowledge will still come in handy down the road I am sure, and I am sure this will help out some fellas down the line. Enabling SSH and doing it from putty seems to have been the majority of the issue.
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 41827045
Lol.  Happy you got something working!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now