sftp when using HTTP proxy server

A discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
Post Reply
nolting
Posts: 7
Joined: Thu May 10, 2018 3:07 pm

sftp when using HTTP proxy server

Post by nolting » Thu May 10, 2018 3:16 pm

Our network people are implementing new HTTP proxy servers which are negating our previous z/OS communication to IBM. I have been able to access TESTCASE.BOULDER.IBM.COM for upload from WinSCP specifying only the new HTTP proxy.

I am now trying z/OS OpenSSH sftp command trying to use the following command getting ProxyCommand command not found error.

SYSE21:/u/tec1002/.ssh# sftp -o ProxyCommand='/usr/bin/nc -v -x www-proxy-hqdc.us.oracle.com:80' anonymous@testcase.boulder.us.ibm
Connecting to testcase.boulder.us.ibm...
/usr/bin/nc: Command not found.
FOTS1338 ssh_exchange_identification: Connection closed by remote host
FOTS0841 Connection closed
SYSE21:/u/tec1002/.ssh#

Would anyone have any suggestions on the above sftp error?

If not, would Co:Z sftp allow me to run from USS or batch and connect to IBM specifying z/OS datasets and/or USS files?

Thanks in advance,
Jon

dovetail
Site Admin
Posts: 1856
Joined: Thu Jul 29, 2004 12:12 pm

Re: sftp when using HTTP proxy server

Post by dovetail » Mon May 14, 2018 7:17 am

IBM does not provide a "nc" (netcat) command with z/OS.

We have a proxy command that is designed to use with OpenSSH on z/OS for this purpose.
You can download it free from here: https://dovetail.com/community/sshproxyc.html

nolting
Posts: 7
Joined: Thu May 10, 2018 3:07 pm

Re: sftp when using HTTP proxy server

Post by nolting » Mon May 14, 2018 12:22 pm

Thanks for the response.

If I understand correctly, the "nc" command not found is coming from z/OS USS and not the HTTP proxy? That would make sense. I will look at your download immediately.

Again, thanks so much!

nolting
Posts: 7
Joined: Thu May 10, 2018 3:07 pm

Re: sftp when using HTTP proxy server

Post by nolting » Mon May 14, 2018 1:29 pm

Apologize for my ignorance and confusion.

I have tried to download ssh-proxyc both inside and outside Oracle's VPN network. When I click the download button, I get a tab with what appears to be the actual PAX'd binary. I normally would be asked to download and where to put the file.

When I try and download the Installation Guide and Release Notes, this time it places coz-5.0.0 into the Windows download directory.

What am I doing wrong in trying to downlog ssh-proxyc?

dovetail
Site Admin
Posts: 1856
Joined: Thu Jul 29, 2004 12:12 pm

Re: sftp when using HTTP proxy server

Post by dovetail » Mon May 14, 2018 4:02 pm

Apparently your browser is configured to view the .pax file rather than select a download location.
Try "Save as" on the last download button for the .pax file

nolting
Posts: 7
Joined: Thu May 10, 2018 3:07 pm

Re: sftp when using HTTP proxy server

Post by nolting » Tue May 15, 2018 7:16 pm

Thanks again for your help! I was able to SAVE AS the download file as ssh-proxyc.pax, upload it in binary and extract it into a z/OS 2.2 USS filesystem.

I ran the using your code and get the following:

SYSE22:/u/tec1002/bin# sftp -o ProxyCommand='/u/tec1002/bin/ssh-proxyc -v -p www-proxy-hqdc.us.oracle.com:80' anonymous@testcase.boulder.us.ibm
Co:Z ssh-proxyc version: 1.0.1 2017-01-05
Copyright (C) Dovetailed Technologies, LLC. 2016-2017. All rights reserved.
usage: ssh-proxyc [-46Ehv] -p proxy_address[:port] destination [port]
FOTS1338 ssh_exchange_identification: Connection closed by remote host
FOTS0841 Connection closed
SYSE22:/u/tec1002/bin#

I am missing some Oracle history and not sure what version of OpenSSH sftp is currently available. I also see there is a requirement which I still need to research. Based on your experience with the error above, any ideas as I dig deeper?

•z/OS V2R2 OpenSSH with PTF UA79909 (or later releases)

nolting
Posts: 7
Joined: Thu May 10, 2018 3:07 pm

Re: sftp when using HTTP proxy server

Post by nolting » Tue May 15, 2018 8:00 pm

Dug deeper and now see the requirement for UA79909 which is an add-on to HOS2220 and allows the FDpass option.

We're having IBMLINK problems but am trying to get that PTF and will try again. Slow but sure but I think I am getting closer.

dovetail
Site Admin
Posts: 1856
Joined: Thu Jul 29, 2004 12:12 pm

Re: sftp when using HTTP proxy server

Post by dovetail » Wed May 16, 2018 6:55 am

Also, the error that you are getting:

usage: ssh-proxyc [-46Ehv] -p proxy_address[:port] destination [port]

means that your ssh-proxy command is not correct.
See the README for correct usage.

nolting
Posts: 7
Joined: Thu May 10, 2018 3:07 pm

Re: sftp when using HTTP proxy server

Post by nolting » Wed May 16, 2018 2:33 pm

Yes. Found that when running the following:

SYSE22:/u/tec1002# sftp -o ProxyUseFDpass -o ProxyCommand='/u/tec1002/bin/ssh-proxyc -E -v -p www-proxy-hqdc.us.oracle.com:80' -v anonymous@testcase.boulder.us.ibm
FOTS1388 command-line: line 0: Bad configuration option: ProxyUseFDpass
FOTS0841 Connection closed

Now I'm working on getting the required PTF for FDpass.


Also, can you confirm that sftp once all the pieces are in place will only support USS filesystem files and NOT TSO files?

nolting
Posts: 7
Joined: Thu May 10, 2018 3:07 pm

Re: sftp when using HTTP proxy server

Post by nolting » Wed May 23, 2018 7:45 pm

Could I ask some help again? I have the OpenSSH sftp command along with ssh_proxyc from Dovetailed Tech. I now have the OpenSSH required PTF installed and am now getting the following error when trying to connect to TESTCASE.BOULDER.IBM.COM.

I am not sure I have all the parameters set correctly. Any suggestions on what might be wrong? I also have the WinSCP sftp log of a connection which worked to the same IBM site with the same HTTP proxy. Appreciate any guidance that can be provided.

SYSE22:/u/tec1002# sftp -24 -vv -o ProxyUseFDpass=yes -o ProxyCommand='/u/tec1002/bin/ssh-proxyc -E -v -p www-proxy-hqdc.us.oracle.com:80' anonymous@testcase.boulder.us.ibm 80
OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: mac_setup: found hmac-sha1-etm@openssh.com
debug2: mac_setup: found hmac-sha2-256-etm@openssh.com
debug2: mac_setup: found hmac-sha2-512-etm@openssh.com
debug2: mac_setup: found hmac-sha1-96-etm@openssh.com
debug2: mac_setup: found hmac-sha1
debug2: mac_setup: found hmac-sha2-256
debug2: mac_setup: found hmac-sha2-512
debug2: mac_setup: found hmac-sha1-96
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug2: mac_setup: found hmac-md5-96-etm@openssh.com
debug2: mac_setup: found hmac-md5
debug2: mac_setup: found hmac-md5-96
debug2: mac_setup: found umac-64-etm@openssh.com
debug2: mac_setup: found umac-128-etm@openssh.com
debug2: mac_setup: found hmac-ripemd160-etm@openssh.com
debug2: mac_setup: found umac-64@openssh.com
debug2: mac_setup: found umac-128@openssh.com
debug2: mac_setup: found hmac-ripemd160
debug2: mac_setup: found hmac-ripemd160@openssh.com
debug1: Reading configuration data /etc/ssh/zos_ssh_config
debug1: zsshSmfSetConnSmfStatus: SMF status is 0
debug2: ssh_connect: needpriv 0
debug1: Executing proxy dialer command: exec /u/tec1002/bin/ssh-proxyc -E -v -p www-proxy-hqdc.us.oracle.com:80
debug1: permanently_drop_suid: 0
Co:Z ssh-proxyc version: 1.0.1 2017-01-05
Copyright (C) Dovetailed Technologies, LLC. 2016-2017. All rights reserved.
usage: ssh-proxyc [-46Ehv] -p proxy_address[:port] destination [port]
FOTS2080 mm_receive_fd: recvmsg: expected received 1 got 0
FOTS3339 proxy dialer did not pass back a connection
debug1: zsshSmfSetConnSmfStatus: SMF status is 0
FOTS0841 Connection closed
SYSE22:/u/tec1002#

dovetail
Site Admin
Posts: 1856
Joined: Thu Jul 29, 2004 12:12 pm

Re: sftp when using HTTP proxy server

Post by dovetail » Thu May 24, 2018 6:58 am

Your ssh-proxyc command is not valid.
Take a look at the README for valid syntax:
https://dovetail.com/docs/sshproxyc/readme.html

I am guessing that you need something like:

sftp -vv -oProxyUseFDpass=yes -oProxyCommand='/u/tec1002/bin/ssh-proxyc -v -p www-proxy-hqdc.us.oracle.com:80 %h %p' anonymous@testcase.boulder.ibm.com

njd
Posts: 33
Joined: Fri Apr 24, 2015 5:57 am

Re: sftp when using HTTP proxy server

Post by njd » Wed Oct 31, 2018 6:24 am

Hi,

Do you have an example of using COZSFTP to run the following with ssh-proxyc?

sftp -vv -oProxyUseFDpass=yes -oProxyCommand='/u/tec1002/bin/ssh-proxyc -v -p www-proxy-hqdc.us.oracle.com:80 %h %p' anonymous@testcase.boulder.ibm.com

Many thanks

dovetail
Site Admin
Posts: 1856
Joined: Thu Jul 29, 2004 12:12 pm

Re: sftp when using HTTP proxy server

Post by dovetail » Mon Nov 05, 2018 4:55 pm

ssh-proxyc supports SOCKS5 proxy servers, not HTTP proxy servers.
Sorry for the confusion.

For more information, see: https://dovetail.com/community/sshproxyc.html

Post Reply