Troubleshooting
Problem
This technical document describes how to use password authentication with SCP.
Resolving The Problem
Prerequisites
57XXSS1 Option 30 (Qshell)
57XXSS1 Option 33 (Portable Application Solutions Environment)
5733SC1 Options *BASE & 1 (IBM Portable Utilities for i)
Assumptions
- A user profile to run the batch SCP process exists on the LPAR.
- A home directory in the IFS exists for the user profile that is running the batch SCP process.
- The home directory parameter in the batch SCP user's profile contains the absolute path to its home directory.
- The SCP server's public host key is stored in the known_hosts file in the batch SCP user's .ssh directory.
The primary components for a batch SCP procedure that use password authentication is as follows:
- Password Shell Script
- Batch SCP Shell Script
- CL Program
| Caution: The following batch procedure example is provided on an unsupported, AS IS basis. The preferred method for batch mode transfers is public-key authentication. The use of a private and public key pair for user-based authentication is more secure than a password. For batch connections that require password authentication, the procedure in this document describes how to submit a password to remote SCP servers. The following example provided can be used as a guide to help implement password authentication with SCP. |
Step 1 - Create Shell Scripts
QSH CMD('/QOpenSys/usr/bin/touch /QOpenSys/etc/openssh_password_script.sh')
QSH CMD('/QOpenSys/usr/bin/touch /home/scpuser/batch_scp_script.sh')
QSH CMD('/QOpenSys/usr/bin/touch /QOpenSys/etc/openssh_password_script.sh')
QSH CMD('/QOpenSys/usr/bin/touch /home/scpuser/batch_scp_script.sh')
Step 2 - Change Owner Of The Shell Scripts To The Batch SCP User Profile
QSH CMD('/QOpenSys/usr/bin/chown scpuser /QOpenSys/etc/openssh_password_script.sh')
QSH CMD('/QOpenSys/usr/bin/chown scpuser /home/scpuser/batch_scp_script.sh')
Step 3 - Change IFS Authorities On The Shell Scripts
QSH CMD('/QOpenSys/usr/bin/chmod 755 /QOpenSys/etc/openssh_password_script.sh')
QSH CMD('/QOpenSys/usr/bin/chmod 755 /home/scpuser/batch_scp_script.sh')
Step 4 - Build Password Shell Script
EDTF '/QOpenSys/etc/openssh_password_script.sh'
Press F15 to enter the Edit File Options Screen.
The password shell script must have UNIX-style line ends (LF) at the ends of lines rather than (CR/LF) like on Microsoft Windows-based machines.
Entering option 5 on the Selection line and then specify *LF for the Stream file EOL option to append a line-feed at the end of each line in the file.
Press the enter key for the EOL change to take effect.
Press F3 to exit the Edit File Options screen.
Store the password for the user account that the SCP server administrator provided in the password script file.
Note: The prefix area in the CMD column is used for entering edit commands. For example, typing In can insert n blank lines after the record. Conversely, you can use Dn to delete the current line and the next n-1 lines or D to delete one line.
Here's a brief description of each record in the password script file:
#!/bin/sh -> Specifies the shell that interprets commands in the script file.
printf -> Prints the password for the user account that the SCP server administrator provided to copy files.
Press F3 to Save and Exit the password shell script.
Step 5 - Build SCP Script To Download Files Programmatically
EDTF '/home/scpuser/batch_scp_script.sh'
Press F15 to enter the Edit File Options Screen.
The batch scp shell script must have UNIX-style line ends (LF) at the ends of lines rather than (CR/LF) like on Microsoft Windows-based machines.
Entering option 5 on the Selection line and then specify *LF for the Stream file EOL option to append a line-feed at the end of each line in the file.
Press the enter key for the EOL change to take effect.
Press F3 to exit the Edit File Options screen.
The batch scp script file is used to copy files with a remote system programmatically.
Note: The prefix area in the CMD column is used for entering edit commands. For example, typing In can insert n blank lines after the record. Conversely, you can use Dn to delete the current line and the next n-1 lines or D to delete one line.
Here's a brief description of each element in the batch scp script file:
#!/bin/sh -> Specifies the shell that interprets commands in the script file.
export DISPLAY= SSH_ASKPASS=/QOpenSys/etc/openssh_password_script.sh -> Sets the $DISPLAY and $SSH_ASKPASS environment variables in the batch script file. The SSH_ASKPASS environment variable provides the location of the password shell script.
printf -> Prints the string of characters in the user's password to the scp command.
serverUserID@server: -> Specifies the user profile and remote SCP server.
serverUserID -> The user profile that the SCP server administrator provided to copy files.
server -> The IP address, Hostname, or Fully Qualified Domain Name of the SCP server.
/home/milbank/vpncfg.txt /home/scpuser -> Downloads text file 'vpncfg.txt' to the batch SCP user's home directory in the IFS.
Note2: On OS releases 7.5+, the SSH_ASKPASS_REQUIRE environment variable needs to be added to the export line.
Here's an example of the export line on 7.5+ systems:
Press F3 to Save and Exit the batch scp shell script.
Step 6 - Sample Batch SCP CL Program
The CL program invokes separate Qshell calls to run the commands in the password & batch scp script files.
Note: The IFS paths that include QOpenSys in the CL program example is case-sensitive.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CKoAAM","label":"Communications-\u003ESFTP and SSH or Secure Shell"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
03 June 2024
UID
nas8N1022284