why does ssh keep asking for password?

Question

QuietMacFan OP

Created Sep ’16

Replies 3

Boosts 0

Views 1.9k

Participants 1

Hi,

After upgrade ssh keeps asking for password.

I WOULD LIKE TIPS - ABOUT .PLIST, LAUNCHD, INSTALLING SSH FROM SOURCE

(i think ssh is not repairable by configuration at this point)

Just (a week) ago I'd used an ssh tutorial for setting up ssh to use id_dsa keys to avoid having to type in password (which obviously kills ssh as an alternative to remote procedure calls in obj c for automated computing between hosts). I was quiet bland and didn't configure anything not advised in tutorial.

On remote side I used X-LFS-2010 on old pc and Debain Squeeze on old laptop. THEY still are working. Only going in or out of iMac is the issue. I did re-create ~/.ssh no help

I checked system.log, no help. i newly found this - though it doesn't tell me what exactly i can fix.

./install.log: "/System/Library/LaunchDaemons/ssh.plist",

./install.log:Sep 20 15:49:30 iMac OSInstaller[492]: /System/Library/PrivateFrameworks/SystemMigration.framework/Resources/MigrationData/Scripts/reloadLaunchdConfigs: /System/Library/LaunchDaemons/ssh.plist: Could not find specified service

./install.log:Sep 20 15:49:30 iMac OSInstaller[492]: /System/Library/PrivateFrameworks/SystemMigration.framework/Resources/MigrationData/Scripts/reloadLaunchdConfigs: /System/Library/LaunchDaemons/ssh.plist: Service is disabled

however my system settings dont agree, i was and still is enabled (i tried disabling / re-enabling, had no effect)

MY PLAN, since OS X has no component re-install for apps in "bsd world", is find download for ssh, compile, install. (i'll see what is installed and what ssh files on system are not part of it when i do that)

I'm new to iMac dev, coming from DOS-3.1-win2000 / linux 0.92-sqeeze (familiar with those) so dont expect i know anything much about BSD or iMAC.

Also i'm a fan of rsh (why? simplicity and speed, though not secure for inet except within a vpn). as for ssh: each option in an app becomes factorial as to bugs and when there is 100! (100 factorial is too many for humans) options that can be a bug or misunderstood combination to those configuring, likey few if any ever have managed to set configuration so it is actually does what they think it does. Complexity is never a virtue (part the tau of programming, and Donald Knuth advice. its good to have an option for every decision in code so that code is not inflexible. however security is to big to be an option... if it were not built in one could choose which and have fall-backs incase of failure, other brand, etc). how many security issues and bug fixes does ssh have compared to rsh? keep an eye on.

I will say it should be a feature of iMac to fetch, build, install as a menu item choice on app store (for some items). there are many reason building from source - app store was a perfect idea - they shouldn't have short-changed install from source, but made it an option in the list

thank you !

Boost

Answer 1

QuietMacFan OP

Sep ’16

i have a 2nd symptom - which is even WORSE than "keeps asking for password"

# ssh -o PubkeyAuthentication=yes -o PasswordAuthentication=no user@linux_host

Permission denied (publickey,password,keyboard-interactive).

# user@linux_host> scp file user@imac_host

> enter password:

Permission denied, please try again.

> enter password:

Permission denied, please try again.

> enter password:

Permission denied (publickey,password,keyboard-interactive)

lost connection

## now the STRANGE thing is "system preferences" says my service IS enabled and i can ssh from linux to

(the linux host ssh runs find between linux boxes and had worked find with iMac, until Sierra update)

i did see that there was a name change (note this might be correct not wrong)

elevated_user@imac > ln -s com.openssh.ssh-agent.plist org.openbsd.ssh-agent.plist

permission denied

# SIP wont let me softlink here - unsure it would help anyhow

Sierra deleted rsh on my machine and i'd like to know if this was global or just on my machine (i openly complained - and there is a possiblity i was targeted by disgruntled employees. and this huge waste of time is why: is why i'd complain of cripple ware and wanting to avoid it).

i'm thinking either Sierra deleted a file, renamed it, or installed a file as a SIP file that is supposed to be readable by normal and elevated users but is not

(meaning - i doubt it's a binary problem, but could be)

note as i said above: my configs are clean and original, i followed basic ssh setup %100 3x (which worked on linux and imac, only Sierra does not work). i doubt it is the ssh binary - i think it is part of the apple core. and the installation failure above

###############################

WRONG

it is the binary - checking what i was saying i found what i thought to (check last) at fault

# ls -la ssh

-rwxr-xr-x@ 1 ???? wheel 1710464 Mar 12 2016 ssh

1 ????@????.local:/Volumes/wd_hfs_p/Backups.backupdb/???? iMac/2016-08-15-050206/Macintosh HD/usr/bin

# ls -la /usr/bin/ssh

-rwxr-xr-x 1 root wheel 2105648 Sep 13 20:57 /usr/bin/ssh

####################

ANSWER: using the old ssh binary off the disconnected backup, things work outbound (does not ask for password). i assume because it's a two way problem the sshd binary shippen was also bogus / corrupt / broken / buggy

(based on the bugfixes and lapses - i am %100 it's not right. but i'll it becasue everyone is using it - but dont ask me to trust it or spend days hacking scripts - no)

i hope the answer helps anyone ! 🙂

use rsh if you want stability and speed - but not exposed to inet of course 🙂 (i still have yet to do that - must compile and make plist, a todo). yet i could have put all this off months or more had rsh not been "magically deleted from Sierra"

thanks all - have a good day

0

Answer 2

QuietMacFan OP

Sep ’16

ssh fix if upgrade to Sierra made ssh keep asking for passwords. running old bin put in /usr/local/bin/ will partiall work but not wholey.

SSH keeps asking for passwords (though had been working after tutorial setup), also all passwords from remote to imac fail, after update from ElCapitan to Sierra.

note: while some changes below might indicate the new binary may work (such as filename difference) - apparently it does not even so

Disable SIP

for each of these, rename them "file.Sierra", and "cp -a" the file from ElCapitan backup (you must have) to where they were. keep in mind this is what i needed for my iMac - yours may differ.

usr//bin/ssh

usr//bin/ssh-add

usr//bin/ssh-agent

usr//bin/ssh-keygen

usr//bin/ssh-keyscan

usr//libexec/ssh-keysign

usr//libexec/ssh-pkcs11-helper

usr//libexec/sshd-keygen-wrapper

sbin//sshd

System//Library/Sandbox/Profiles/org.openssh.sshd.sb

no need to use launchctl to start stop, since 2 reboots are required for SIP

hopefully with that, when it is "fixed by update" the above will pose no problem (i keep the old files ready to copy back jic, during changeover, till it "just works" or something appears prevalent to restore expected operation or to say not to restore it with reason)

errata:

new file (renamed ssh-copy-id.Sierra, there is no ElCapitan bin for it)

/usr/bin/ssh-copy-id

this was a filename change only (can copy rather than rename)

/System/Library/Sandbox/Profiles/com.openssh.sshd.sb

/System/Library/Sandbox/Profiles/org.openssh.sshd.sb

0

Answer 3

QuietMacFan OP

Oct ’17

I finally figured out why by mistake. I'm an rsh(1) fan (fast logins suitable for computing across LAN).

In linux default (was) "ssh-keygen -t dsa", which speeds up logins quite a bit: and that works fine on linux (does not ask for password). There are howto's out there that use this as the "default".

For apple rsa is apparently required "ssh-keygen" (-t rsa). I checked config files there are too many options and none seem to point this out as a feature/option to change.

ANSWER: ssh will keep asking for password unless the default "-t dsa" is used on ALL machines.

0