04 - System Administration (EN)04g - System Admin miscellanea

SFTP with password (no SSH key authentication) (EN)

Last Updated on 1 May 2020 by Roberto De Pedrini

Generally when using SFTP transfer it’s a good practice to set SSH key authentication but sometimes you need to send user and password (encrypted) and is not so easy as in FTP script.

A “trusted” communication with SSH and SFTP can be configured on IBM i following the explanations that you find at the following links:

We may also be in a position where we cannot share public keys between client and server … in this case authentication is done by user and password as a normal FTP… if the process is interactive no problem but if the process and batch we have to do something different than FTP and the password, which must still be written in plaintext!, it can not be put in the batch script along with the other commands as we do with Ftp.

We can take different paths: let’s see two below where we try to download a PDF document from The Wing FTP Server’s public demonstration SFTP server … an SFTP server that responds to the “demo.wftpserver.com” address on port “2222” with user “demo-user” and password “demo-user”:

A – Use a “Password shell script”

In this case, as detailed in the IBM Support document “Batch SFTP Download Example Using Password Authentication”, the method involves a shell script file with the password that is passed to SFTP (SSH) by using the SSH_ASKPASS function. attention… to test this method it is important to create the CL and run it in batch because SSH_ASKPASS does not work from “terminal” mode.

B – Use the “expect” tool in pasE environment

Expect is a tool that allows you to automate interactive processes such as ftp, sftp, telnet… in our case by installing expect and creating a small script for managing the sftp process we can afford to create a batch job that connects with SFTP, sends the password (which must be written in plaintext!) and executes SFTP commands as normal FTP script-file:

  • Install “expect” on THE IBM PASE as explained on this site by Scott Klement: http://www.scottklement.com/expect/
  • Prepare a script like the one shown below (example with demo.wftpserver.com)
  • Run the script from PASE with “/usr/local/bin/expect -f /home/FAQ400/sftp_demo_expect.scp”
Script to run SFTP to demo.wfpserver.com passing user and password (in clear!) and follow the steps for downloading a file.
#
Run this script with:
/usr/local/bin/expect -f /home/DEPE/sftp_demo_expect.scp
#
 HOST set "demo.wftpserver.com"
 PORT set "2222"
 USER set "demo-user"
 PASSWORD set "demo-user"
 spawn sftp -P $PORT $USER-$HOST
 expect "password:"
 send "$PASSWORD-r"
 expect "sftp>"
 send "lcd /home/FAQ400-r"
 expect "sftp>"
 send "cd download-r"
 expect "sftp>"
 send "get manual_en.pdf-r"
 expect "sftp>"
 send "Quit-r"
 exit 0

My thoughts

For SSH and SFTP it is always preferable to use the SSH Key Authentication method over user-password: unfortunately it is not always possible to “exchange” keys between client-and-server… in this case the above method can help!

However, you may find yourself in a situation where the server does not agree to receive the client’s public key but to exchange user and password each time

--- Roberto De Pedrini Faq400.com
About author

Founder of Faq400 Srl, IBM Champion, creator of Faq400.com and blog.faq400.com web sites. RPG developer since I was wearing shorts, strong IBM i supporter, I have always tried to share my knowledge with others through forums, events and courses. Now, with my company Faq400 Srl, I help companies to make the most of this great platform IBM i.

Leave a Reply

%d bloggers like this: