sFTP forcing to go interactive when non-interactive mode is desired.
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
sFTP forcing to go interactive when non-interactive mode is desired.
Hi,
I've been using an automated script with our trading partner for at least 5 years without any issues. The TP recently updated their site (changed their protocol from DNS to HTTPS) and now I cannot run my scripts without getting sFTP "usage" error.
The command I'm using is
sftp id@hostinformation.com <<eoftp >${LOGDIR}/${SFTPMSG} 2>${LOGDIR}/${SFTPERR}
cd ${SFTPDIR}
get ${FILE}
bye
eoftp
I can manually access without any issues but the script wouldn't run.
All the logs I have are coming empty except the one that contains the usage error.
Any help would be greatly appreciated.
Thank you.
It isn't clear why you're talking about DNS vs HTTPS - they are 2 completely different things and the latter wouldn't be used for lookups where the former would for sftp.
Your script suggests you were using default port 22 and had an ssh trust established with the TP.
When it works manually now are you having to input a password?
Did the TP whitelist your outbound IP on their new server?
Did the TP import your ssh key into the user, id, on their new server?
When I checked the only port I see open on hostinformation.com is 80 which is http NOT https. Port 22 (ssh/sftp) will not allow connection nor will port 443 (https). However, it may be I can't connect due to lack of whitelist at the TP for the address I came from. They don't need to whitelist my IP but they do need to whitelist yours.
If in fact they have moved from sftp (not DNS) to https you'd have to modify your script to do something like wget or curl. However, it would be extremely unusual for them to try to force B2B file transfers over https instead of something like ftp, ftps or sftp.
Sorry, I just had to put something in there as far as the host address goes.
Since I'm connecting to one of the major banks, I couldn't really show you the hostname, etc.
The port we are using is 22 for sure (I've confirmed this.)
So, here is a back story.
The bank and we had .ssh non-interactive connection previously. I was able to run my script and retrieve files as well as send them files.
However, they are planning on updating to this new site where I can only interactively connect and carry out the commands while non-interactive scripts are failing.
When I asked the bank about the changes and directory permission levels, the only answer I heard from them is "those two sites sit in the same Linux server and all set up has been migrated over. so, we don't need to exchange any ssh except, I had to accept a new host key for the site."
It's really confusing that I can type in commands and fetch the files without any issues but the script with the exact same commands will fail...
Do you think I will have to use "curl" or some other commands with the existing script commands?
Quote:
Originally Posted by MensaWater
It isn't clear why you're talking about DNS vs HTTPS - they are 2 completely different things and the latter wouldn't be used for lookups where the former would for sftp.
Your script suggests you were using default port 22 and had an ssh trust established with the TP.
When it works manually now are you having to input a password?
Did the TP whitelist your outbound IP on their new server?
Did the TP import your ssh key into the user, id, on their new server?
When I checked the only port I see open on hostinformation.com is 80 which is http NOT https. Port 22 (ssh/sftp) will not allow connection nor will port 443 (https). However, it may be I can't connect due to lack of whitelist at the TP for the address I came from. They don't need to whitelist my IP but they do need to whitelist yours.
If in fact they have moved from sftp (not DNS) to https you'd have to modify your script to do something like wget or curl. However, it would be extremely unusual for them to try to force B2B file transfers over https instead of something like ftp, ftps or sftp.
I can only interactively connect and carry out the commands
When you connect "interactively" is it giving you a password prompt?
Are you able to login because you know the password when doing it "interactively"?
If not prompting for password are you seeing any other prompts (e.g. is it asking you to accept new key/fingerprint from the remote)? if so what are the prompts and what are your responses?
When you do it "interactively" are you doing it from the same source USER and SERVER that your script runs as?
The way ssh/sftp work is based on the keys and fingerprints of same for the users involved. To enable a "trusted" connection (i.e. one that works without a password) you have to send the partner a public key (e.g. rsa or dsa) from the user on your side. The user on your side would also have the private key but you don't send that to the partner.
The partner stores the public key in the setup of whatever user on their side you're attempting. When the user on your side attempts the connection it identifies itself to the partner and on verifying it is the user they imported the key for they allow the connection.
It is important that you provide enough detail for people to help you with this.
We've had many partners (including banks) make changes and they almost always provide a document regarding what is changing.
If they've changed the user on their side they'd need to import your key into that new user's setup.
If they've changed the physical server you're attaching to, even if it has the same internet address and user they would need to import the key on the new server into the user.
If they've changed the protocol (e.g. from sftp to ftps) you'd have to work with the new protocol. Although sftp and ftps sound similar, they're completely different. ftps uses SSL certificates rather than keys. Some partners offer both and you should insist on sftp if they do. You can do ftps but would have to research how to do it.
No Prompts what so ever...
I think I solved this problem.
With the new site, I had to add a space between sftp command and cd command.
like:
sftp id@hostinformation.com <<eoftp >${LOGDIR}/${SFTPMSG} 2>${LOGDIR}/${SFTPERR}
cd ${SFTPDIR}
get ${FILE}
bye
eoftp
It seems like having that blank space basically worked as an "enter key" to clear it out to the next command line.
Not sure how and why... never had to do this before... but it still works.
Quote:
Originally Posted by MensaWater
When you connect "interactively" is it giving you a password prompt?
Are you able to login because you know the password when doing it "interactively"?
If not prompting for password are you seeing any other prompts (e.g. is it asking you to accept new key/fingerprint from the remote)? if so what are the prompts and what are your responses?
When you do it "interactively" are you doing it from the same source USER and SERVER that your script runs as?
The way ssh/sftp work is based on the keys and fingerprints of same for the users involved. To enable a "trusted" connection (i.e. one that works without a password) you have to send the partner a public key (e.g. rsa or dsa) from the user on your side. The user on your side would also have the private key but you don't send that to the partner.
The partner stores the public key in the setup of whatever user on their side you're attempting. When the user on your side attempts the connection it identifies itself to the partner and on verifying it is the user they imported the key for they allow the connection.
It is important that you provide enough detail for people to help you with this.
We've had many partners (including banks) make changes and they almost always provide a document regarding what is changing.
If they've changed the user on their side they'd need to import your key into that new user's setup.
If they've changed the physical server you're attaching to, even if it has the same internet address and user they would need to import the key on the new server into the user.
If they've changed the protocol (e.g. from sftp to ftps) you'd have to work with the new protocol. Although sftp and ftps sound similar, they're completely different. ftps uses SSL certificates rather than keys. Some partners offer both and you should insist on sftp if they do. You can do ftps but would have to research how to do it.
What about using the batch mode with keys, as mentioned in #3 above?
From "man sftp"
Quote:
-b batchfile
Batch mode reads a series of commands from an input batchfile
instead of stdin. Since it lacks user interaction it should be
used in conjunction with non-interactive authentication. A
batchfile of ‘-’ may be used to indicate standard input. sftp
will abort if any of the following commands fail: get, put,
reget, reput, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod,
chown, chgrp, lpwd, df, symlink, and lmkdir. Termination on
error can be suppressed on a command by command basis by prefix‐
ing the command with a ‘-’ character (for example, -rm
/tmp/blah*).
batch mode worked.
I had an unnecessary line at the very top of my batch file and that's how I figured out needing the space in between sftp command and cd command.
Thanks again for your help!
Quote:
Originally Posted by Turbocapitalist
What about using the batch mode with keys, as mentioned in #3 above?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.