Overriding StrictHostKeyChecking

A discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
Post Reply
rwshumate
Posts: 2
Joined: Wed Dec 20, 2017 3:17 pm

Overriding StrictHostKeyChecking

Post by rwshumate » Fri Jun 15, 2018 1:39 pm

Hello,
I have sftp_opts="$sftp_opts -oStrictHostKeyChecking=yes" coded in my sitewide SFTPIND file. I'm trying to override this in a batch job using SFTPPROC as follows:
//STEP1 EXEC SFTPPROC
//SFTPIN DD *
sftp_opts="$sftp_opts -oStrictHostKeyChecking=no"

In the job output I see this:

Executing: /usr/local/coz/bin/cozsftp -oBatchMode=no -oConnectTimeout=60 -oServerAliveInterval=60 -oNumberOfPasswordPro
mpts=1 -oStrictHostKeyChecking=yes -oStrictHostKeyChecking=no -b- 'xxxxxxxl@secureftp.xxxxxxxx.com'
Co:Z SFTP version: 5.1.1 (6.4p1) 2018-06-01
Copyright (C) Dovetailed Technologies, LLC. 2008-2018. All rights reserved.
Connecting to secureftp.xxxxxxxx.com...
FOTS1305 No DSA host key is known for secureftp.xxxxxxx.com and you have requested strict checking.

FOTS1370 Host key verification failed.

[98.211] Connection closed
CoZBatch: returning rc=exitcode=255

So it appears it's appending my value for StrictHostKeyChecking rather than replacing it, and still using StrictHostKeyChecking=yes.

What am I doing wrong?

dovetail
Site Admin
Posts: 1848
Joined: Thu Jul 29, 2004 12:12 pm

Re: Overriding StrictHostKeyChecking

Post by dovetail » Mon Jun 18, 2018 1:11 pm

The "-o" options are options for ssh (z/OS OpenSSH).

Its a little odd, but with OpenSSH, options that appear on the command line are sticky so that the first occurrence is used (not the last as one would expect).

The way to work around this is:

//SFTPIN DD *
sftp_opts="-oStrictHostKeyChecking=no $sftp_opts "

rwshumate
Posts: 2
Joined: Wed Dec 20, 2017 3:17 pm

Re: Overriding StrictHostKeyChecking

Post by rwshumate » Mon Jun 18, 2018 2:40 pm

Ahhh. Thank you!

Post Reply