How to use passwords with z/OS OpenSSH in batch

How To

Summary

Occasionally there can be a remote system that explicitly requires password authentication for ssh / sftp / scp connections. This document guides you through setting up z/OS OpenSSH to use passwords when establishing a connection in batch mode (BPXBATCH or similar).

Objective

A method to connect to a remote ssh (sftp/scp) daemon by using BPXBATCH and password authentication for scenarios when cryptographic authentication (keys/certificates) cannot be used.

Steps

Before you begin:
The context of the following steps is for the scenario where the "client" is the z/OS system and creating an outbound connection to an ssh daemon.
/u/user1 is the local z/OS user's home directory, who is running the OpenSSH client (ssh/sftp/scp)
remoteuser is the user id logging into the remote system
mypassword is the password for remoteuser on the remote system
remotehost is the IP address or name of the remote system.

1) The password must be retrievable using a shell script. There are multiple options to accomplish this, but the requirement is that the shell script must be executable and return ONLY the password.

Option 1: Include the password in the script

Define your script to contain:

#!/bin/sh
echo mypassword

Option 2: Place the password in a RACF protected data set

Define your script to contain:

#!/bin/sh
cat "//'HLQ.PASSWD.DSN'"

The data set in this example contains just the password. E.g.:
image-20230818171306-1
Notes:
Ensure that there is no line numbering inserted in column 80.
The data set name is arbitrary and can be altered to suit your needs.

To evaluate the success of this step, you can run the script from the terminal and the output should be the expected password. Example:

$ ./askpass.sh
mypassword

2) If not already present, update your JCL to include an STDENV DD statement. Once defined, the STDENV DD statement should include the following environment (case-sensitive) variables: DISPLAY and SSH_ASKPASS

DISPLAY can contain any arbitrary value
SSH_ASKPASS contains the full pathname to the script created in step 1

Example:
//STDENV DD *
DISPLAY=FOO
SSH_ASKPASS=/u/user1/askpass.sh
/*

3) This step is written for the sftp client, see "Additional Information" for ssh and scp examples.
In your JCL where the sftp utility is invoked, "BatchMode" must be disabled for ssh/sftp to allow passwords. (When invoking sftp in batch, password authentication is disabled by default). To do this, the invocation flag "-oBatchMode=no" must be included, prior to the -b option.

Here is an example combining the above two steps:

//SFTP EXEC PGM=BPXBATCH,PARMDD=PARMINDD
//STDIN DD DUMMY
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDENV DD *
DISPLAY=FOO
SSH_ASKPASS=/u/user1/askpass.sh
/*
//PARMINDD DD *
PGM
/bin/sftp -oBatchmode=no
-b /u/user1/sftp.commands remoteuser@remotehost
/*

Recall the -b option points to a file containing the commands to be invoked in the sftp session.

Additional Information

Please be aware of the following advisories:

This method makes use of an interface within OpenSSH designed to collect passwords using a graphical plug-in (within X11 systems). This interface could change (or be withdrawn) in a future OpenSSH or z/OS release. The use of keys is strongly encouraged and highly recommended over this method.

If the destination host has not been previously connected to, StrictHostKeyChecking may cause the connection process to go into an infinite loop trying to prompt the user to save the destination's host key in the local known_hosts file. To avoid this, ensure the destination host has an existing host key in the local user's known_hosts file, or in the global /etc/ssh/ssh_known_hosts file.

Additional examples:

1) Using this method to connect with ssh to run a command:

//SSH EXEC PGM=BPXBATCH,PARMDD=PARMINDD
//STDIN DD DUMMY
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDENV DD *
DISPLAY=FOO
SSH_ASKPASS=/u/user1/askpass.sh
/*
//PARMINDD DD *
PGM

/bin/ssh remoteuser@remotehost
ls
/*

2) Using scp to copy a file:

//SCP EXEC PGM=BPXBATCH,PARMDD=PARMINDD
//STDIN DD DUMMY
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDENV DD *
DISPLAY=FOO
SSH_ASKPASS=/u/user1/askpass.sh
/*
//PARMINDD DD *
PGM
/bin/scp /tmp/localfile
remoteuser@remotehost:/tmp/remotecopy
/*

Note: While both sides of an scp connection can be remote, there is no way to provide different passwords to different remote connections. For this reason, this method requires one side of the copy to be local.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[{"code":"a8m0z0000001h5RAAQ","label":"z\/OS-\u003EOpenSSH-\u003Eclients (ssh\/sftp\/scp)"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]

Was this topic helpful?

Document Information

More support for:
z/OS

Component:
z/OS->OpenSSH->clients (ssh/sftp/scp)

Software version:
All Versions

Operating system(s):
z/OS

Document number:
7027869

Modified date:
31 August 2023

UID

ibm17027869

IBM Support

Tips