SCP in batch mode
Jeremy Begg
> Also, what many of us are no doubt attempting is to get
> SCP going in batch mode as a replacement for automated FTP
> sessions. I would like to see a cookbook method for setting
> up and testing SSH2 (1) between two Multinet boxes and then SCP
> in /BATCH mode between two boxes. I can SSH2 between boxes and
> am prompted for passphrase and for password on failure of passphrase,
> so I am confident I have something right. But I sure can't get
> SCP going in /BATCH mode and will not be spending any more time
> on this. Thanks for your help and pardon my ignorance on
> this subject. It isn't often I get hung up getting something up
> and running.
Can I just say that I second Rob's suggestion: an SSH cookbook would be
really handy. Like much of the MultiNet documentation, the manuals tell
you the commands and detail the configuration files, but assume that you
otherwise know what you're doing :-)
It would be nice to see a (short) document giving useful examples of
SSH configurations, e.g. how to set up port forwarding, how to set up
a "secure pipe" between two MultiNet systems, perhaps a case study or
two on setting up authentication methods which don't rely on passwords.
Thanks,
Jeremy Begg
Lisa Fuellemann
> <63D30D6E10CFD11190A9...@lespaul.process.com>
> , Richard Whalen <wha...@process.com> writes:
> authentication.
> >
> > The host key should be copied to
> > [.ssh2.knownhosts]node_domain_com_ssh-dss.pub under the
> user's default login
> > directory.
> >
>
> Well a few more hours and no go.
>
> If there are replacement pages for 8-9 through 8-12 in Multinet
> version 4.4 User's Guide and Master Index, let us know.
The error mentioned by Rich Whalen will be corrected for the next version of
MultiNet. However, I pasted the corrected version below. The only
difference is the key file name and location, which is key to getting
host-based authentication to work. The Public Key documentation (pages
8-10 through 8-12) is correct, as far as I know.
> Also, what many of us are no doubt attempting is to get
> SCP going in batch mode as a replacement for automated FTP
> sessions. I would like to see a cookbook method for setting
> up and testing SSH2 (1) between two Multinet boxes and then SCP
> in /BATCH mode between two boxes. I can SSH2 between boxes and
> am prompted for passphrase and for password on failure
> of passphrase,
> so I am confident I have something right. But I sure can't get
> SCP going in /BATCH mode and will not be spending any more time
> on this. Thanks for your help and pardon my ignorance on
> this subject. It isn't often I get hung up getting something up
> and running.
The "trick" to getting SCP to work in batch mode is setting up either
host-based authentication OR public key authentication so that you do not
have to enter any passphrase (or password) at all during the logon. If you
have your keys set up so that you need a passphrase, then batch mode will
not work. Before trying SCP in batch, be sure you can do an "SSH
<hostname>" which results in you logging completely in without having to
enter any keyboard input.
We will work on improving the examples in the documentation for our next
release--thank you for the suggestions.
--Lisa
Lisa Fuellemann
QA Engineering
Process Software
----------- Corrected Host-Based Authentication Example ----------
Host-Based Authentication Example
The following is an example of how to set up the SSH2 client and SSH2 server
for Host-Based
Authentication:
$!
$! First, generate the host key - ONLY if it doesn't exist!
$!
$ multinet sshkeygen /ssh2 /host
Generating 1024-bit dsa key pair
4 oOo.oOo.oOo
Key generated.
1024-bit dsa, myn...@myclient.foo.com, Tue Oct 02 2001 13:43:54
Private key saved to multinet_ssh2_hostkey_dir:hostkey.
Public key saved to multinet_ssh2_hostkey_dir:hostkey.pub
$ directory multinet_ssh2_hostkey_dir:hostkey.*
Directory MULTINET_SPECIFIC_ROOT:[MULTINET.SSH2.HOSTKEYS]
HOSTKEY.;1 HOSTKEY.PUB;1
Total of 2 files
$!
$! Copy the client system public key to the user directory on the server
$!
$ copy multinet_ssh2_hostkey_dir:hostkey.pub -_$
myserv"myname myuser"::[.ssh2.knownhosts]myclient_foo_com_ssh-dss.pub
$!
$! Finally, log into the server system and ensure the
$! MULTINET:HOSTS.EQUIV file is correct
$!
$ SET HOST MYSERV
Welcome to OpenVMS (TM) VAX Operating System, Version V7.3
Username: myname
Password:
Welcome to OpenVMS VAX V7.3
Last interactive login on Monday, 1-OCT-2001 17:07
Last non-interactive login on Monday, 24-SEP-2001 08:30
MYSERV_$ type multinet:hosts.equiv
#
# HOSTS.EQUIV - names of hosts to have default "r" utility access to the
local
# system.
#
# This file should list the full domain-style names.
#
# This list augments the users' SYS$LOGIN:.RHOSTS file for authentication.
# Both the .RHOSTS and the HOSTS.EQUIV files are cached by MultiNet -
# see the section entitled "RLOGIN and RSHELL Authentication Cache"
# in the _Administrator's Guide_ for more information on controlling
# the cache.
#
# This file is ignored for the users SYSTEM and ROOT. SYSTEM and ROOT
# must have a SYS$LOGIN:.RHOSTS file if you want to use RSHELL or RLOGIN
# with them.
#
localhost
myclient.foo.com myname
MYSERV_$
MYSERV_$ logout
MYNAME logged out at 2-OCT-2001 13:46:58.91
%REM-S-END, control returned to node MYCLIENT::
-------------------------------------------------
Note: the above assumes that you've allowed host-based authentication in
both the server and client configuration files. Host-based authentication
is not allowed by default.
Michael Corbett
>
> (1) Preferrably:
>
> Local client and server where client and server will flip-flop (back
> and forth testing), prior to:
>
> Local client and remote SSH2 server we have no control over
> (interfacing with a remote server and working with folks at that end).
>
> SCP in /BATCH mode
>
> Troubleshooting section
>
> (Am I asking for O'Reilly? Not really... just something that furthers
> my understanding and is straight forward to setup.)
>
>
Here is an example session that sets up public key authentication between two
Multinet systems and uses SCP/BATCH. Hope it helps.
$ MU SSHKEYGEN/SSH2
Generating 1024-bit dsa key pair
7 Oo.oOo.oOo.o
Key generated.
1024-bit dsa, cor...@yoyo.process.com, Mon Aug 19 2002 12:20:59
Passphrase : <CR>
Again : <CR>
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if a privileged user is malicious, your key can be used without
the deciphering effort.
Private key saved to DISK$SYS_LOGIN:[LOGIN.CORBETT.SSH2]id_dsa_1024_a.
Public key saved to DISK$SYS_LOGIN:[LOGIN.CORBETT.SSH2]id_dsa_1024_a.pub
$
$ ! The following command assumes you do not have a [.SSH2]IDENTIFICATION.
$ ! file. If you already have one then edit it with your favorite
$ ! editor and add the line following line to it
$ ! idkey id_dsa_1024_a
$ !
$ COPY TT: [.SSH2]IDENTIFICATION.
idkey id_dsa_1024_a
<CTRL-Z>
$
$ MU SCP2/VMS [.SSH2]ID_DSA_1024_A.PUB TITANIA.PROCESS.COM::[.SSH2]ID_DSA_1024_A.PUB
Host key not found from database.
Key fingerprint:
xihon-lykef-duvez-pamef-lypac-mupyp-minyg-puvir-canel-vaker-kixox
You can get a public key's fingerprint by running
(OpenVMS) $ multinet sshkeygen /ssh2 /fingerprint=publickey.pub
(UNIX) % ssh-keygen -F publickey.pub
Are you sure you want to continue connecting (yes/no)? YES
Host key saved to DISK$SYS_LOGIN:[LOGIN.CORBETT.SSH2.HOSTKEYS]key_22_titania_process_com.pub
host key for titania.process.com, accepted by corbett Mon Aug 19 2002 13:12:23
Welcome to OpenVMS (TM) Alpha Operating System, Version V7.2-1
cor...@titania.process.com's password:
ID_DSA_1024_A.PUB | 746B | 0.7 kB/s | TOC: 00:00:01 | 100%
$
$ MU SSH2 TITANIA.PROCESS.COM
Welcome to OpenVMS (TM) Alpha Operating System, Version V7.2-1
corbett's password:
Authentication successful.
Welcome to Secret.
Please note that Secret is not a repository for your garbage.
Files and configuration changes are purged NIGHTLY!!!!!!!!!!!!
Last interactive login on Friday, 16-AUG-2002 13:16:08.32
Last non-interactive login on Monday, 19-AUG-2002 13:12:59.32
1 login failure since last successful login
$ DIR [.SSH2]
Directory SYS$SYSDEVICE:[CORBETT.SSH2]
ID_DSA_1024_A.PUB;1
Total of 1 file.
$ ! The following command assumes you do not have a [.SSH2]AUTHORIZATION.
$ ! file. If you already have one then edit it with your favorite
$ ! editor and add the line following line to it
$ ! key id_dsa_1024_a.pub
$ !
$ COPY TT: [.SSH2]AUTHORIZATION.
key id_dsa_1024_a.pub
<CTRL-Z>
$
$ log
CORBETT logged out at 19-AUG-2002 13:14:29.38
Connection to titania.process.com closed.
$
$ MU SCP2/VMS/BATCH LOGIN.COM TITANIA.PROCESS.COM::TEST.TEST
Welcome to OpenVMS (TM) Alpha Operating System, Version V7.2-1
LOGIN.COM | 2.3kB | 2.3 kB/s | TOC: 00:00:01 | 100%
--
+-------------------------------------------------------------------------+
Michael Corbett Email: Cor...@process.com
Process Software Phone: 800 722-7770 x369
959 Concord St. 508 879-6994 x369
Framingham MA 01701-4682 FAX: 508 879-0042
Rob Young
Thank you very much. This was the insight I missed. I did not
see any mention of "OR" and now know why it is broken. I have
them both setup. Lack of understanding on my part and also
uncommenting a line that *appeared* to be telling me to set
them both up:
$ search ssh2_config. auth
# SyslogFacility AUTH
## User public key authentication
AuthorizationFile authorization
## Authentication
AllowedAuthentications hostbased,publickey,password #<<<-----
# AllowedAuthentications publickey,password
# RequiredAuthentications publickey,password
# HostbasedAuthForceClientHostnameDNSMatch no
If you
> have your keys set up so that you need a passphrase, then batch mode will
> not work. Before trying SCP in batch, be sure you can do an "SSH
> <hostname>" which results in you logging completely in without having to
> enter any keyboard input.
>
Thanks, I should have known this.
> We will work on improving the examples in the documentation for our next
> release--thank you for the suggestions.
Appreciate it. A learning curve on my part. I need to keep trawling
Google to find that article:
"SSH and SCP for Total Idiots"
Rob
Men with walkie-talkie I'm home again to you babe
Men with flashlights waving You know it makes me wonder
Up upon the tower Sittin' in the quiet slipstream
The clock reads daylight savin' Rollin' in the thunder
-- Neil Young
Kattalia, Mark
of things in the documentation. DHCP, among others.
Mark Kattalia
CALLAN ASSOCIATES Inc.
katt...@callan.com
(415) 978-3099
-----Original Message-----
From: Jeremy Begg [mailto:jer...@vsm.com.au]
Sent: Wednesday, October 02, 2002 3:44 AM
To: info-m...@process.com
Subject: RE: SCP in batch mode
>In article <63D30D6E10CFD11190A9...@lespaul.process.com>,
Richard Whalen <wha...@process.com> writes:
> Also, what many of us are no doubt attempting is to get
> SCP going in batch mode as a replacement for automated FTP
> sessions. I would like to see a cookbook method for setting
> up and testing SSH2 (1) between two Multinet boxes and then SCP
> in /BATCH mode between two boxes. I can SSH2 between boxes and
> am prompted for passphrase and for password on failure of
passphrase,
> so I am confident I have something right. But I sure can't get
> SCP going in /BATCH mode and will not be spending any more time
> on this. Thanks for your help and pardon my ignorance on
> this subject. It isn't often I get hung up getting something up
> and running.
Can I just say that I second Rob's suggestion: an SSH cookbook would be