Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi,

Some links, to add to Satid's answer

https://www.ibm.com/support/pages/configuring-ibm-i-sshd-server-use-public-key-authentication

https://www.ibm.com/support/pages/example-batch-sftp-script

https://www.ibm.com/support/pages/batch-sftp-download-example-using-password-authentication

https://blog.faq400.com/en/system-administration-en/sftp-with-password-no-ssh-key-authentication-it/

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi,

Some links, to add to Satid's answer

https://www.ibm.com/support/pages/configuring-ibm-i-sshd-server-use-public-key-authentication

https://www.ibm.com/support/pages/example-batch-sftp-script

https://www.ibm.com/support/pages/batch-sftp-download-example-using-password-authentication

https://blog.faq400.com/en/system-administration-en/sftp-with-password-no-ssh-key-authentication-it/

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

And if you want a native application that runs on IBM i for SFTP..  Consider GoAnywhere..  https://www.fortra.com/product-lines/goanywhere#features

This product is an application for exchanging IBM i data from DB2 or other sources too.

Good luck

Tom

Hi,

Some links, to add to Satid's answer

https://www.ibm.com/support/pages/configuring-ibm-i-sshd-server-use-public-key-authentication

https://www.ibm.com/support/pages/example-batch-sftp-script

https://www.ibm.com/support/pages/batch-sftp-download-example-using-password-authentication

https://blog.faq400.com/en/system-administration-en/sftp-with-password-no-ssh-key-authentication-it/

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

And if you want a native application that runs on IBM i for SFTP..  Consider GoAnywhere..  https://www.fortra.com/product-lines/goanywhere#features

This product is an application for exchanging IBM i data from DB2 or other sources too.

Good luck

Tom

Hi,

Some links, to add to Satid's answer

https://www.ibm.com/support/pages/configuring-ibm-i-sshd-server-use-public-key-authentication

https://www.ibm.com/support/pages/example-batch-sftp-script

https://www.ibm.com/support/pages/batch-sftp-download-example-using-password-authentication

https://blog.faq400.com/en/system-administration-en/sftp-with-password-no-ssh-key-authentication-it/

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

I'm getting the error "Host key verification failed."  If I need to generate a different key type than what I did originally, will I need to delete my original keys first and then generate the new set?  For generating the key in PACE, is there a listing of type specification options for use in the command for that?  The options I've found are rsa, rsa1, dsa, or ecdsa.  

And if you want a native application that runs on IBM i for SFTP..  Consider GoAnywhere..  https://www.fortra.com/product-lines/goanywhere#features

This product is an application for exchanging IBM i data from DB2 or other sources too.

Good luck

Tom

Hi,

Some links, to add to Satid's answer

https://www.ibm.com/support/pages/configuring-ibm-i-sshd-server-use-public-key-authentication

https://www.ibm.com/support/pages/example-batch-sftp-script

https://www.ibm.com/support/pages/batch-sftp-download-example-using-password-authentication

https://blog.faq400.com/en/system-administration-en/sftp-with-password-no-ssh-key-authentication-it/

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Good reference, thank you Satid:

The same happens with IFS, a kind of NFS, that is also not very secure, but its security may be improved with sshfs, which is also natively supported on IBM i.

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

For SFTP on IBM i, do you need the public key of the partner when you are the client and they have the server?  One document I found mentions having the partner's public key in your known_hosts file. 

Good reference, thank you Satid:

The same happens with IFS, a kind of NFS, that is also not very secure, but its security may be improved with sshfs, which is also natively supported on IBM i.

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Amy

>>>> For SFTP on IBM i, do you need the public key of the partner when you are the client and they have the server?  One document I found mentions having the partner's public key in your known_hosts file.  <<<<

Please refer to this IBM Technote for the answer :  Configuring the IBM i ssh, sftp, and scp clients to use public-key authentication at https://www.ibm.com/support/pages/configuring-ibm-i-ssh-sftp-and-scp-clients-use-public-key-authentication

For SFTP on IBM i, do you need the public key of the partner when you are the client and they have the server?  One document I found mentions having the partner's public key in your known_hosts file. 

Good reference, thank you Satid:

The same happens with IFS, a kind of NFS, that is also not very secure, but its security may be improved with sshfs, which is also natively supported on IBM i.

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Thanks.  Yes, that is the document where I found mention of that.  Other documentation sources did not include that need.  When I asked our partner for their public key, they said I shouldn't need it.  So, I wanted to know if I was misunderstanding, and we didn't need it after all.  

Dear Amy

>>>> For SFTP on IBM i, do you need the public key of the partner when you are the client and they have the server?  One document I found mentions having the partner's public key in your known_hosts file.  <<<<

Please refer to this IBM Technote for the answer :  Configuring the IBM i ssh, sftp, and scp clients to use public-key authentication at https://www.ibm.com/support/pages/configuring-ibm-i-ssh-sftp-and-scp-clients-use-public-key-authentication

For SFTP on IBM i, do you need the public key of the partner when you are the client and they have the server?  One document I found mentions having the partner's public key in your known_hosts file. 

Good reference, thank you Satid:

The same happens with IFS, a kind of NFS, that is also not very secure, but its security may be improved with sshfs, which is also natively supported on IBM i.

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

>>>> When I asked our partner for their public key, they said I shouldn't need it.  <<<<

According to the Technote, your partner is right in saying that you do not need the public key because you use private key. It's them who need your public key you produce for them.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.

Original Message:
Sent: Wed August 23, 2023 10:04 PM
From: Amy Vozza
Subject: How to SFTP on IBM i

Thanks.  Yes, that is the document where I found mention of that.  Other documentation sources did not include that need.  When I asked our partner for their public key, they said I shouldn't need it.  So, I wanted to know if I was misunderstanding, and we didn't need it after all.  

------------------------------
Amy Vozza

Original Message:
Sent: Wed August 23, 2023 09:52 PM
From: Satid Singkorapoom
Subject: How to SFTP on IBM i

Dear Amy

>>>> For SFTP on IBM i, do you need the public key of the partner when you are the client and they have the server?  One document I found mentions having the partner's public key in your known_hosts file.  <<<<

Please refer to this IBM Technote for the answer :  Configuring the IBM i ssh, sftp, and scp clients to use public-key authentication at https://www.ibm.com/support/pages/configuring-ibm-i-ssh-sftp-and-scp-clients-use-public-key-authentication

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.

Original Message:
Sent: Wed August 23, 2023 10:15 AM
From: Amy Vozza
Subject: How to SFTP on IBM i

For SFTP on IBM i, do you need the public key of the partner when you are the client and they have the server?  One document I found mentions having the partner's public key in your known_hosts file. 

------------------------------
Amy Vozza

Original Message:
Sent: Tue August 22, 2023 05:07 PM
From: Daniel Jose Lema Guanziroli
Subject: How to SFTP on IBM i

Good reference, thank you Satid:

The same happens with IFS, a kind of NFS, that is also not very secure, but its security may be improved with sshfs, which is also natively supported on IBM i.

------------------------------
Daniel Jose Lema Guanziroli

Original Message:
Sent: Thu August 17, 2023 10:12 PM
From: Satid Singkorapoom
Subject: How to SFTP on IBM i

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.

Original Message:
Sent: Thu August 17, 2023 04:58 PM
From: Amy Vozza
Subject: How to SFTP on IBM i

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

------------------------------
Amy Vozza
------------------------------

Good reference, thank you Satid:

The same happens with IFS, a kind of NFS, that is also not very secure, but its security may be improved with sshfs, which is also natively supported on IBM i.

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Amy

One good place is Scott Klement's web site  https://www.scottklement.com/presentations/  and download this presentation :

Here is an additional article on using SFTP inIBM i :  https://techchannel.com/SMB/12/2009/sftp-tips

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Another product to look at is LFTP. It can be easily scripted and integrated into a CL. And is is free. 

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Another product to look at is LFTP. It can be easily scripted and integrated into a CL. And is is free. 

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi Peter, 
I'm trying to change ftp-scripts to SFTP using LFTP as it looks nice to use . 
You have examples of using LFTP ?
At this moment, the ftp-scripts are changing the input with example date and hour in the filenames that are ended. 

Would be nice to know how to do this with LFTP ... I guess we need to create the file and push it to ifs and use it from there.
Kinda new to this, so any help on LFTP and using open source Unix !
Greetings 

Another product to look at is LFTP. It can be easily scripted and integrated into a CL. And is is free. 

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi Peter, 
I'm trying to change ftp-scripts to SFTP using LFTP as it looks nice to use . 
You have examples of using LFTP ?
At this moment, the ftp-scripts are changing the input with example date and hour in the filenames that are ended. 

Would be nice to know how to do this with LFTP ... I guess we need to create the file and push it to ifs and use it from there.
Kinda new to this, so any help on LFTP and using open source Unix !
Greetings 

Another product to look at is LFTP. It can be easily scripted and integrated into a CL. And is is free. 

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi Peter, 
I'm trying to change ftp-scripts to SFTP using LFTP as it looks nice to use . 
You have examples of using LFTP ?
At this moment, the ftp-scripts are changing the input with example date and hour in the filenames that are ended. 

Would be nice to know how to do this with LFTP ... I guess we need to create the file and push it to ifs and use it from there.
Kinda new to this, so any help on LFTP and using open source Unix !
Greetings 

Another product to look at is LFTP. It can be easily scripted and integrated into a CL. And is is free. 

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

https://www.seidengroup.com/2022/12/27/automate-sftp-transfers-using-expect/

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

I usually add -vvv parameter (for maximum debug level logging) to the sftp command as a first step to any sftp comms triage effort. If you try that and share the output with us (it's going to be long), we could get better insight into the client side.

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Pino

Please study this IBM i Tehcnote to see if it helps with your case:  Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories at https://www.ibm.com/support/pages/using-chroot-ibm-i-restrict-ssh-sftp-and-scp-specific-directories.                  

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Dear Satid,

I have already tried that but unfortunately when the home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Thank you for your responses

Dear Pino

Please study this IBM i Tehcnote to see if it helps with your case:  Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories at https://www.ibm.com/support/pages/using-chroot-ibm-i-restrict-ssh-sftp-and-scp-specific-directories.                  

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

I set this up for a customer the other day. I ran into issues with SFTP honoring the home directory path with the "." in it. I believe what fixed it in the end was one or all of these 3 things:

1. Make sure the owner of the ...home/UserX folder is UserX
2. Set the Locale to *NONE
   CHGUSRPRF USRPRF(UserX) LOCALE(*NONE)
3. Set the proper permissions on the ...home/UserX folder
   chmod 755 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX

Some of this information is here:
Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories

Ibm		remove preview
Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories This document provides instructions for implementing the chroot function which isolates ssh, sftp, and scp users into specific directories in the Integrated File System (IFS). View this on Ibm >

and here:
Configuring the IBM i SSHD Server to Use Public-Key Authentication

Dear Satid,

I have already tried that but unfortunately when the home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Thank you for your responses

Dear Pino

Please study this IBM i Tehcnote to see if it helps with your case:  Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories at https://www.ibm.com/support/pages/using-chroot-ibm-i-restrict-ssh-sftp-and-scp-specific-directories.                  

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hello Pino, Ravisankar, and Others,

You may also check whether your chrooted environment was impacted by an apparent bug in the chroot_setup_script.sh (if that is what you used to create the chrooted environment) which was the issue I had to resolve.

The main executable (your chrooted user depends on) is a clone of the sftp-server command which the chroot_setup_script.sh script copies to your /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/QOpenSys/QIBM/ProdData/SC1/OpenSSH/libexec folder. That executable was updated by IBM some time ago due to security patching, and one of the libraries it now depends on is  called libcrypto.so.3 -- you can verify that by running PASE command "dump -H <path-to-the>sftp-server". Unfortunately, the chroot_setup_script.sh script was not updated and it still copies the older, deprecated version of the library called libcrypto.so.1.1

To fix this, you can either edit the chroot_setup_script.sh (that's what I did since it gets rerun often) and rerun it, or ,you can copy the missing library to the /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/usr/lib folder (where the libcrypto.so.1.1 was previously copied).

Hope this helps. Let me know if you get stuck.

Roman

I set this up for a customer the other day. I ran into issues with SFTP honoring the home directory path with the "." in it. I believe what fixed it in the end was one or all of these 3 things:

1. Make sure the owner of the ...home/UserX folder is UserX
2. Set the Locale to *NONE
   CHGUSRPRF USRPRF(UserX) LOCALE(*NONE)
3. Set the proper permissions on the ...home/UserX folder
   chmod 755 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX

Some of this information is here:
Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories

Ibm		remove preview
Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories This document provides instructions for implementing the chroot function which isolates ssh, sftp, and scp users into specific directories in the Integrated File System (IFS). View this on Ibm >

and here:
Configuring the IBM i SSHD Server to Use Public-Key Authentication

Dear Satid,

I have already tried that but unfortunately when the home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Thank you for your responses

Dear Pino

Please study this IBM i Tehcnote to see if it helps with your case:  Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories at https://www.ibm.com/support/pages/using-chroot-ibm-i-restrict-ssh-sftp-and-scp-specific-directories.                  

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hello Pino, Ravisankar, and Others,

You may also check whether your chrooted environment was impacted by an apparent bug in the chroot_setup_script.sh (if that is what you used to create the chrooted environment) which was the issue I had to resolve.

The main executable (your chrooted user depends on) is a clone of the sftp-server command which the chroot_setup_script.sh script copies to your /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/QOpenSys/QIBM/ProdData/SC1/OpenSSH/libexec folder. That executable was updated by IBM some time ago due to security patching, and one of the libraries it now depends on is  called libcrypto.so.3 -- you can verify that by running PASE command "dump -H <path-to-the>sftp-server". Unfortunately, the chroot_setup_script.sh script was not updated and it still copies the older, deprecated version of the library called libcrypto.so.1.1

To fix this, you can either edit the chroot_setup_script.sh (that's what I did since it gets rerun often) and rerun it, or ,you can copy the missing library to the /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/usr/lib folder (where the libcrypto.so.1.1 was previously copied).

Hope this helps. Let me know if you get stuck.

Roman

I set this up for a customer the other day. I ran into issues with SFTP honoring the home directory path with the "." in it. I believe what fixed it in the end was one or all of these 3 things:

1. Make sure the owner of the ...home/UserX folder is UserX
2. Set the Locale to *NONE
   CHGUSRPRF USRPRF(UserX) LOCALE(*NONE)
3. Set the proper permissions on the ...home/UserX folder
   chmod 755 /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX

Some of this information is here:
Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories

Ibm		remove preview
Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories This document provides instructions for implementing the chroot function which isolates ssh, sftp, and scp users into specific directories in the Integrated File System (IFS). View this on Ibm >

and here:
Configuring the IBM i SSHD Server to Use Public-Key Authentication

Dear Satid,

I have already tried that but unfortunately when the home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Thank you for your responses

Dear Pino

Please study this IBM i Tehcnote to see if it helps with your case:  Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories at https://www.ibm.com/support/pages/using-chroot-ibm-i-restrict-ssh-sftp-and-scp-specific-directories.                  

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi @Pino Mariotti, 

I wonder if you saw my response on the other thread. According to your SSH client log, the issue is that the user profile is configured to use bash as its shell, but the IBM script does not copy the bash binary into the chroot environment. 

Best, 

Kurt

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Hi Kurt,

I did see it , I tried to copy it manually but still had the problem. The indication about libcrypto.so.3  form Roman Chloupek did the trick.

Thank you anyway for your having helped me, now I know something more on this subject also thanks to your suggestions

Hi @Pino Mariotti, 

I wonder if you saw my response on the other thread. According to your SSH client log, the issue is that the user profile is configured to use bash as its shell, but the IBM script does not copy the bash binary into the chroot environment. 

Best, 

Kurt

Hi, I am struggling with that too. Did you solved it ?

It seems the problem is with the the dot (/.) . Home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Hi Satid,

   Thank you for the reply.

• Yes, I did use the "Restricted Access Method" described in my GitHub repo.
• The steps given in the "Restricted Access Method" are actually from the IBMi's documentation Using chroot on the IBM i to Restrict ssh, sftp, and scp to Specific Directories.
• I also checked the chroot_config.log and found no possible issues there. Attached the same for your reference.
• I am also confused because, all the steps given on the IBMi documentation have been completed successfully. But still the connection is getting closed in 4-5 seconds.
• By looking at the screenshot below, I could see that the SFTP actually got initiated and due to some configuration/network issue the connection is closed. Notice the message "ECDSA key fingerprint is SHA256:xxxxx" --> does that mean the SFTP got connected at first?
• 
• Please let me know your thoughts on this.

Regards,

Dear Ravisankar

I'm confused. Do you use "Restricted Access" method described in your provided Github link?   If so, how do you encounter the problem when you already have those steps described in your link (which imply they should work)?    My guess is that one of those commands in the long list of preparation steps may have an error that you may overlook.  Do you ensure each command you run does not have an error returned by IBM i? 

I was trying to setup an SFTP access for IBMi where my IBMi would be acting as the host and an SAP server would be acting as a client.

I did all these steps given in this link. Note: I wanted to give restricted access to the SFTP client so I had to use CHROOT to create a 'jailed root' for the user profile using which the SFTP will be initiated. 

Everything else works fine, but when I initiate the connection, the connection gets closed in 5-6 seconds. 

Please see the screenshot below.

Note: The full access method given in the above link works fine. But I'm trying to setup the 'jailed root' method using CHROOT. 

Could you please tell me what am I doing wrong?

Regards,

Ravi.

With the open PASE tools (yum), if ones want to avoid string script parsing as much as possible and need a robust solution with db usage, it is worth IMHO using a proper high level language given that SFTP and ODBC and error handling are usually decent (and useful in case of logging, auditing and faults). And invoke it from CL (using env vars or a db record).

Usually the solution is even more compact and simple than a pure shell script.

Anyway, given the pervasive and ubiquity requirements (like FTP in the past, and we got the command for it) in businesses, it would be nice if IBM considered to bring a standard CL/ILE solution for SFTP, usually basic operation like SENDFILE , RECEIVEFILE, LISTREMOTEDIR macro operations should be sufficient.

Even maybe an SQL interface to it (like it is fashion nowadays for many services) with robust exception returning...

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Amy-san,

The following page summarizes the notes I took when setting up SFTP on the IBM i.

Unfortunately, it is written in Japanese. Please have it machine-translated into English to read...

https://iworldweb.info/column/serials/dekiruibmi_no10

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Super article, very clear and very interesting... Thank you very much MIKIO SASAKI !

Amy-san,

The following page summarizes the notes I took when setting up SFTP on the IBM i.

Unfortunately, it is written in Japanese. Please have it machine-translated into English to read...

https://iworldweb.info/column/serials/dekiruibmi_no10

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.  

Where can I find steps or documentation for setup, with examples, if possible, to do unattended SFTP on the IBM i?  We have a need to do SFTP instead of FTPS.