Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

I can sftp (with password) but not sftp -b - not prompted for password!

3,917 views
Skip to first unread message

use...@davidfilmer.com

unread,
Jun 26, 2007, 7:10:56 PM6/26/07
to
I am trying to sftp data to a server. I only have the option to use
password authentication.

I can sftp just fine to the server and do whatever I want.

However, if I try to sftp with a batch file, I am not prompted for my
password. It seems to just skip that option.

The userid I am using has no keys in ~/.ssh (only known_hosts)

Here is the verbose output:

sftp -v -b sftp.batch.txt myus...@example.com

OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to sftp.americanlafrance.com [208.3.68.147] port
22.
debug1: Connection established.
debug1: identity file /home/david/.ssh/id_rsa type -1
debug1: identity file /home/david/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 1.82
sshlib: WinSSHD 4.22
debug1: no match: 1.82 sshlib: WinSSHD 4.22
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sftp.americanlafrance.com' is known and matches the DSA
host key.
debug1: Found key in /home/david/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-
mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/david/.ssh/id_rsa
debug1: Trying private key: /home/david/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).
Couldn't read packet: Connection reset by peer


This is OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006


Does anyone know why I am not prompted for a password when trying a
batch process?

Thanks!

--
David Filmer (http://DavidFilmer.com)

Per Hedeland

unread,
Jun 27, 2007, 1:57:18 AM6/27/07
to
In article <1182899456.8...@o11g2000prd.googlegroups.com>

use...@DavidFilmer.com writes:
>I am trying to sftp data to a server. I only have the option to use
>password authentication.
>
>I can sftp just fine to the server and do whatever I want.
>
>However, if I try to sftp with a batch file, I am not prompted for my
>password. It seems to just skip that option.

It's a design decision, not a good one in my opinion. At some 3.x
version, this was added to sftp.c:

case 'b':
...
>>>>>>>>>> addargs(&args, "-obatchmode yes");

From ssh_config(5):

BatchMode
If set to ``yes'', passphrase/password querying will be disabled.

It is also documented in sftp(1) (at least in current versions):

-b batchfile
Batch mode reads a series of commands from an input batchfile
instead of stdin. Since it lacks user interaction it should be
used in conjunction with non-interactive authentication.

IMO, if a 'sftp -b' user wants to disable passphrase/password querying,
he can just use that -o option on the sftp commandline himself - there
are many scenarios where interactive authentication is just fine even if
you prefer to have the sftp commands in a file.

I guess this is unlikely to change though, and given that, it is now
possible to do the opposite, i.e. override the "builtin" BatchMode
setting on the sftp command line:

sftp -o "batchmode no" -b /tmp/bat user@host

Note that it must come *before* -b, which may be surprising - this is
due to ssh processing -o options as if they were read from the config
file - ssh_config(5) again:

For each parameter, the first obtained value will be used.


--Per Hedeland
p...@hedeland.org

use...@davidfilmer.com

unread,
Jun 27, 2007, 4:39:59 AM6/27/07
to
On Jun 26, 10:57 pm, p...@hedeland.org (Per Hedeland) wrote:

> sftp -o "batchmode no" -b /tmp/bat user@host

That did it!!! Thanks very much for your extremely complete and
helpful reply!

> It is also documented in sftp(1) (at least in current versions):

hmmm. Documented poorly IMHO

> -b batchfile
> Batch mode reads a series of commands from an input batchfile
> instead of stdin. Since it lacks user interaction it should be
> used in conjunction with non-interactive authentication.

To me, the word "should" implies a recommendation. But this is more
than a recommendation; -b flat-out does not work with interactive
authentication unless the user specifically does something ELSE to
make it work. It would have been nice if this had been made more
clear (and included mention of the batchmode override).

Anyway, thanks again for the assist!

Per Hedeland

unread,
Jun 27, 2007, 3:14:45 PM6/27/07
to
In article <1182933599.6...@o11g2000prd.googlegroups.com>

use...@DavidFilmer.com writes:
>On Jun 26, 10:57 pm, p...@hedeland.org (Per Hedeland) wrote:
>
>> It is also documented in sftp(1) (at least in current versions):
>hmmm. Documented poorly IMHO
>
>> -b batchfile
>> Batch mode reads a series of commands from an input batchfile
>> instead of stdin. Since it lacks user interaction it should be
>> used in conjunction with non-interactive authentication.
>
>To me, the word "should" implies a recommendation.

Well, I was thinking primarily of the "lacks user interaction", which is
pretty definitive - and it's true, but only because the developers
decided to take away the user interaction that was possible earlier!:-)

--Per Hedeland
p...@hedeland.org

0 new messages