Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 320665

Summary: SSH Keyboard interactive authentication doesn't work on zOS
Product: [Eclipse Project] Platform Reporter: Samuel Wu <samuelwu>
Component: TeamAssignee: Platform Team Inbox <platform-team-inbox>
Status: CLOSED INVALID QA Contact:
Severity: normal    
Priority: P3 CC: pwebster, Szymon.Brandys, tomasz.zarna, ymnk
Version: 4.0   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description Samuel Wu CLA 2010-07-22 16:43:05 EDT 
Build Identifier: Eclipse 3.6.0 

I installed RSE so that I can have a GUI interface to create a connection to the zOS host.
1. Open the preferences page General -> Network Connection -> SSH2 and switch to the Authentication Methods tab
2. check only the keyboard-interactive and uncheck the rest
3. Open RSE perspective and click the button new connection
4. Create an SSH Only connection to a zOS host
5. Right click the newly created connection and run the action Connect
6. Put in the right user id and password when being prompted
The connection failed
Use the same user ID and password and you can connect to the same host with PUTTY.

Reproducible: Always
Comment 1 Tomasz Zarna CLA 2011-07-13 07:15:58 EDT 
Same story as on bug 319415, comment 2:

Could you try following the steps with JSch upgraded to 1.44. It's available on Orbit[1].

[1] http://wiki.eclipse.org/Orbit/FAQ#How_do_I_work_with_a_bundle_in_Orbit.3F
Comment 2 Paul Webster CLA 2011-07-13 07:29:47 EDT 
You can also install it into your running eclipse using Help>Install new software and a repo of http://download.eclipse.org/tools/orbit/downloads/drops/R20110523182458/repository/

PW
Comment 3 Atsuhiko Yamanaka CLA 2011-07-13 15:08:40 EDT 
Could you try 
  http://www.jcraft.com/jsch/examples/Logger.java
It will print logging messages to stdout.

  $ javac -classpath jsch-0.1.44.jar Logger.java
  $ java -classpath jsch-0.1.44.jar Logger

For example, jsch jar file is available at
  http://repo1.maven.org/maven2/com/jcraft/jsch/0.1.44-1/jsch-0.1.44-1.jar
Comment 4 Samuel Wu CLA 2011-07-14 18:35:42 EDT 
Installed Jscraft 1.44.
The original scenarion still failed. 
The following information were collected from running Logger. The successful authentication is password. 

WARN: Permanently added 'torolabb' (RSA) to the list of known hosts.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentications that can continue: password
INFO: Next authentication method: password
INFO: Authentication succeeded (password).
Comment 5 Szymon Brandys CLA 2011-07-21 03:35:37 EDT 
Atsuhiko, any suggestions? Could it be fixed in the next release?
Comment 6 Atsuhiko Yamanaka CLA 2011-07-21 12:42:27 EDT 
Sorry for my delay.
# I'm still in the trouble caused by the giant earthquake at 11th March.

> WARN: Permanently added 'torolabb' (RSA) to the list of known hosts.
> INFO: SSH_MSG_NEWKEYS sent
> INFO: SSH_MSG_NEWKEYS received
> INFO: SSH_MSG_SERVICE_REQUEST sent
> INFO: SSH_MSG_SERVICE_ACCEPT received
> INFO: Authentications that can continue:
> publickey,keyboard-interactive,password
> INFO: Next authentication method: publickey
> INFO: Authentications that can continue: password
> INFO: Next authentication method: password
> INFO: Authentication succeeded (password).

It seems to me that the remote sshd has not been configured
to use 'keyboard-interactive' method.

If you have OpenSSH's ssh client, 
could you run it in the debug mode for that sshd,
  % ssh -v -v -v foo@example.com
and post its output to this bugzilla entry?
Comment 7 Samuel Wu CLA 2011-07-21 15:10:17 EDT 
The following messages were from a host which support interactive, It still faled.

WARN: Permanently added 'host.pok.ibm.com' (RSA) to the list of known hosts.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentications that can continue: keyboard-interactive,password
INFO: Next authentication method: keyboard-interactive
INFO: Disconnecting from host.pok.ibm.com port 22
com.jcraft.jsch.JSchException: Auth fail
Comment 8 Atsuhiko Yamanaka CLA 2011-07-22 05:01:25 EDT 
(In reply to comment #7)
> The following messages were from a host which support interactive, It still
> faled.
> 
...
> INFO: Next authentication method: keyboard-interactive
> INFO: Disconnecting from host.pok.ibm.com port 22
> com.jcraft.jsch.JSchException: Auth fail

Thank you for your trial.
It seems the authentication process has been dropped by the remote.
Will somebody allow me to get accesses to sshd on zOS?
I guess the problem has occurred before the success of authentication,
so I don't need the login access, and I just need the accesses to its TCP port 22.
Comment 9 Samuel Wu CLA 2011-07-22 08:59:56 EDT 
The IP address of the host is 9.26.177.159. But I wonder whether it's behind a firewall.
Comment 10 Szymon Brandys CLA 2011-07-27 06:12:42 EDT 
(In reply to comment #9)
> The IP address of the host is 9.26.177.159. But I wonder whether it's behind a
> firewall.

Atsuhiko, does it work for you?
Comment 11 Szymon Brandys CLA 2011-07-27 09:35:01 EDT 
(In reply to comment #9)
> The IP address of the host is 9.26.177.159. But I wonder whether it's behind a
> firewall.

I tried Logger on your IP and it se(In reply to comment #9)
> The IP address of the host is 9.26.177.159. But I wonder whether it's behind a
> firewall.

I tried to connect to the host and this is what I get from Logger:

WARN: Permanently added '9.26.177.159' (RSA) to the list of known hosts.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentications that can continue: password
INFO: Next authentication method: password
INFO: Disconnecting from 9.26.177.159 port 22
com.jcraft.jsch.JSchException: Auth cancel

Could you enable keyboard-interactive there?
Comment 12 Samuel Wu CLA 2011-07-27 09:58:15 EDT 
Can you please try another host 9.56.224.21?
Comment 13 Samuel Wu CLA 2011-07-27 10:09:02 EDT 
Sorry, host 9.56.224.21 is not a zOS
Comment 14 Atsuhiko Yamanaka CLA 2011-07-27 12:05:34 EDT 
(In reply to comment #10)
> (In reply to comment #9)
> > The IP address of the host is 9.26.177.159. But I wonder whether it's behind a
> > firewall.
> 
> Atsuhiko, does it work for you?

Unfortunately, I can not get TCP connections to 9.26.177.159 and 9.56.224.21.

Is it possible to allow me to get TCP accesses to sshd on zOS through ssh port-fowarding?  I mean that I'll provide login-access to our host(for example,
guest@our_ip_address), and if you will run on your LAN,

  % ssh -R 3333:9.56.224.21:22 guest@our_ip_address

we can get TCP accesses to 9.56.224.21:22 with a followng command on
'our_ip_address' host,

  % ssh -p 3333 foo@127.0.0.1

If possible, I will write 'our_ip_address' to you privately.
Comment 15 Samuel Wu CLA 2011-07-27 13:08:33 EDT 
According to the system administrator, interactive authentication is not supported on zOS. The following is from man sshd_config.
| KbdInteractiveAuthentication Not supported on z/OS UNIX. Specifies whether
|           to use keyboard-interactive authentication. The argument to this
|           keyword must be "yes" or "no".

I'm closing this bug as invalid.
Comment 16 Szymon Brandys CLA 2011-07-28 03:49:51 EDT 
(In reply to comment #15)
> According to the system administrator, interactive authentication is not
> supported on zOS. The following is from man sshd_config.
> | KbdInteractiveAuthentication Not supported on z/OS UNIX. Specifies whether
> |           to use keyboard-interactive authentication. The argument to this
> |           keyword must be "yes" or "no".
> 
> I'm closing this bug as invalid.

Thanks Samuel for looking into it.