Discussion:
quite OT
(too old to reply)
James
2018-09-01 06:24:34 UTC
Permalink
but directly related to a port <smile>

Where can I ask questions on mac stuff?

I elaborate:

I want password-less ssh login
i usually copy the public key by hand, but I also used ssh-copy-id

from 1_mac to another
from 1_mac to itself
from 1_mac to a plethora of linux machines and virtual machines

1_mac cannot login passwd-less to another. Passwd is requested then all is well
1_mac CAN login to itself passwdless
1_mac CAN login to the linux boxes passwdless

The logs show nothing of interest (-vvv, not tried to get server logs yet)
Google is full of stuff, eg since High Sierra Apple silently enforces a 2048 bit key, but nothing that actually solves the problem

Surely someone somewhere has solved the issue

And I don’t which way to turn, clearly some apple magic is happening

James
Dave Horsfall
2018-09-01 07:45:13 UTC
Permalink
Post by James
but directly related to a port <smile>
Where can I ask questions on mac stuff?
Which is pretty much what I do i.e. tie it to MacPorts somehow :-)
Post by James
I want password-less ssh login
i usually copy the public key by hand, but I also used ssh-copy-id
I've done that, but I think it involved temporarily enabling TELNET etc,
then ye olde copy/paste of the public key.

-- Dave
Jan Stary
2018-09-03 10:39:54 UTC
Permalink
Post by James
but directly related to a port <smile>
What port?
Post by James
I want password-less ssh login
Create a password-less key and copy it into
~/.ssh/authorized_keys on the remote site.

Make sure that ~/.ssh is chmod 700 and authorized_keys is chmod 600
if you are creating them from scratch. (The OS possibly did that for you
upon user creation.)
Post by James
i usually copy the public key by hand, but I also used ssh-copy-id
from 1_mac to another
from 1_mac to itself
from 1_mac to a plethora of linux machines and virtual machines
1_mac cannot login passwd-less to another.
To another what?

What happens if you copy the key by hand, not relying on ssh-copy-id?
Have you checked that the key is actually installed there?
Post by James
Passwd is requested then all is well.
What password, if it's a password-less key?
Post by James
1_mac CAN login to itself passwdless
1_mac CAN login to the linux boxes passwdless
The logs show nothing of interest (-vvv, not tried to get server logs yet)
You have succesfully logged in. The logs will say so.
What else do you expect to see there?
Post by James
Google is full of stuff, eg since High Sierra Apple silently enforces a 2048 bit key, but nothing that actually solves the problem
What problem?
Post by James
Post by James
I want password-less ssh login
i usually copy the public key by hand, but I also used ssh-copy-id
I've done that, but I think it involved temporarily enabling TELNET etc,
then ye olde copy/paste of the public key.
Why would you use TELNET to transfer your ssh key?
To completely defeat the purpose?

Jan
James
2018-09-03 13:50:35 UTC
Permalink
Top Posting as all the noise below may be of interest, but it may not be.

Actually re-reading my post shows my irritation with Jan’s post. I guess that I’m here because of a significant and so far insoluable problem and I welcome any ideas or caveats, I think his tone trivializes my angst, appologies!

Jan I must assume that you have never done a password-less login to a high sierra machine and the tone of your questions betrays that.
I have mumble (aah hell 40 years experience using unix and I have and do do many many password-less logins eg gathering data frrom an embedded logger) so the stock right-way is cute, but moot
Post by Jan Stary
Post by James
but directly related to a port <smile>
What port?
actually openssh which works everywhere ( where works == password-less login NB nothing to do with pass-phrase) does not work on high sierra
Post by Jan Stary
Post by James
I want password-less ssh login
Create a password-less key and copy it into
~/.ssh/authorized_keys on the remote site.
Make sure that ~/.ssh is chmod 700 and authorized_keys is chmod 600
if you are creating them from scratch. (The OS possibly did that for you
upon user creation.)
Post by James
i usually copy the public key by hand, but I also used ssh-copy-id
from 1_mac to another
from 1_mac to itself
from 1_mac to a plethora of linux machines and virtual machines
1_mac cannot login passwd-less to another.
To another what?
The original post made clear I called the first mac "mac-1" and the second mac “another"
Post by Jan Stary
What happens if you copy the key by hand, not relying on ssh-copy-id?
Have you checked that the key is actually installed there?
By hand and with ssh-copy-id achieves identical results. I’ve also generated id_rsa and id_rsa.pub on linux machines (In case apple does something bizare)
Post by Jan Stary
Post by James
Passwd is requested then all is well.
What password, if it's a password-less key?
if public key auth fails then you fall back to password auth
Post by Jan Stary
Post by James
1_mac CAN login to itself passwdless
And with openssh that happens too. I’ve not tried user a login to user b, I shall try in the morning
Post by Jan Stary
Post by James
1_mac CAN login to the linux boxes passwdless
The logs show nothing of interest (-vvv, not tried to get server logs yet)
You have succesfully logged in. The logs will say so.
What else do you expect to see there?
Umm I’m confused. I see a password prompt not a shell prompt. I see too public_key auth failed wthi error 51 before password auth gets tried
Post by Jan Stary
Post by James
Google is full of stuff, eg since High Sierra Apple silently enforces a 2048 bit key, but nothing that actually solves the problem
What problem?
Again ummmm. Password-less login. I can see my suspition is not happening which was blank pass phrase is not allowed.
Post by Jan Stary
Post by James
Post by James
I want password-less ssh login
i usually copy the public key by hand, but I also used ssh-copy-id
I've done that, but I think it involved temporarily enabling TELNET etc,
then ye olde copy/paste of the public key.
Why would you use TELNET to transfer your ssh key?
To completely defeat the purpose?
I think one of the answers mentioned telnet, I certainly did not.

James
Richard L. Hamilton
2018-09-03 15:22:52 UTC
Permalink
I can log in from a reasonably recent Linux or Solaris 10 or later system (well, the Linux is a VM) to my High Sierra using keys (with or without ssh-agent) just fine. No problem at all.

In the case of a really old Solaris (9) box, the defaults for High Sierra's sshd didn't include ciphers or key exchange algorithms that the old Solaris 9 client knew about. But (at the risk of reducing security on the High Sierra system!!!), I could add the following to the High Sierra system's /etc/ssh/sshd_config:

Ciphers chacha20-***@openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
KexAlgorithms diffie-hellman-group1-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

and after that, get in from the ancient client too. Contrast that with the defaults described in the sshd_config man page, if you want to determine what old stuff was added. I probably needed both lines; first it failed finding a cipher, then it said "no kex alg", which the 2nd line took care of. Fairly sure the old stuff that was fixed it was the aes128-cbc, and the diffie-helman-group1-sha1, respectively. I found the 2nd line by googling "no kex alg". Probably those could be tweaked a bit. Some clients may cope with a limited number of possibilities for one or the other, so what they need should probably be near the beginning of the list, although being paranoid, I'd just as soon put it as far down the list as the crankiest client would accept, so better stuff would be used whenever possible.

To figure this stuff out from scratch, add a -v or two to the failing ssh command to see what it's trying; if you look through that, and then look through the sshd_config man page on the destination system, you'll hopefully find a common cipher and kex algorithm, which is what you need to make sure you add to the defaults.

Now I think I'm going to go back and comment those lines out, because I can think of ZERO times I'm likely to log in from a 2001 vintage Sun Blade 100 running Solaris 9, to a 2017 MacBook Pro running High Sierra. Not worth the exposure, esp. if I travel with the laptop, such that unless I VPN, it could get pounded by random crazies.

NOTE: truly ancient clients use version 1 of the ssh protocol, which openssh as of High Sierra says (per the man page) it does NOT support. The man page for the MacPorts version says the same thing; so in that case, you're out of luck. And BTW, I just did a diff between Apple's sshd man page and the MacPorts man page, and the ONLY differences were path names for configuration files, the pid file, etc. So if you can't solve your issues for one, using the other probably won't help either.
Post by James
Top Posting as all the noise below may be of interest, but it may not be.
Actually re-reading my post shows my irritation with Jan’s post. I guess that I’m here because of a significant and so far insoluable problem and I welcome any ideas or caveats, I think his tone trivializes my angst, appologies!
Jan I must assume that you have never done a password-less login to a high sierra machine and the tone of your questions betrays that.
I have mumble (aah hell 40 years experience using unix and I have and do do many many password-less logins eg gathering data frrom an embedded logger) so the stock right-way is cute, but moot
Post by Jan Stary
Post by James
but directly related to a port <smile>
What port?
actually openssh which works everywhere ( where works == password-less login NB nothing to do with pass-phrase) does not work on high sierra
Post by Jan Stary
Post by James
I want password-less ssh login
Create a password-less key and copy it into
~/.ssh/authorized_keys on the remote site.
Make sure that ~/.ssh is chmod 700 and authorized_keys is chmod 600
if you are creating them from scratch. (The OS possibly did that for you
upon user creation.)
Post by James
i usually copy the public key by hand, but I also used ssh-copy-id
from 1_mac to another
from 1_mac to itself
from 1_mac to a plethora of linux machines and virtual machines
1_mac cannot login passwd-less to another.
To another what?
The original post made clear I called the first mac "mac-1" and the second mac “another"
Post by Jan Stary
What happens if you copy the key by hand, not relying on ssh-copy-id?
Have you checked that the key is actually installed there?
By hand and with ssh-copy-id achieves identical results. I’ve also generated id_rsa and id_rsa.pub on linux machines (In case apple does something bizare)
Post by Jan Stary
Post by James
Passwd is requested then all is well.
What password, if it's a password-less key?
if public key auth fails then you fall back to password auth
Post by Jan Stary
Post by James
1_mac CAN login to itself passwdless
And with openssh that happens too. I’ve not tried user a login to user b, I shall try in the morning
Post by Jan Stary
Post by James
1_mac CAN login to the linux boxes passwdless
The logs show nothing of interest (-vvv, not tried to get server logs yet)
You have succesfully logged in. The logs will say so.
What else do you expect to see there?
Umm I’m confused. I see a password prompt not a shell prompt. I see too public_key auth failed wthi error 51 before password auth gets tried
Post by Jan Stary
Post by James
Google is full of stuff, eg since High Sierra Apple silently enforces a 2048 bit key, but nothing that actually solves the problem
What problem?
Again ummmm. Password-less login. I can see my suspition is not happening which was blank pass phrase is not allowed.
Post by Jan Stary
Post by James
Post by James
I want password-less ssh login
i usually copy the public key by hand, but I also used ssh-copy-id
I've done that, but I think it involved temporarily enabling TELNET etc,
then ye olde copy/paste of the public key.
Why would you use TELNET to transfer your ssh key?
To completely defeat the purpose?
I think one of the answers mentioned telnet, I certainly did not.
James
Jan Stary
2018-09-03 19:39:39 UTC
Permalink
Post by James
Jan I must assume that you have never done a password-less login
to a high sierra machine and the tone of your questions betrays that.
Password-less login to 10.13.6 works for me just fine,
with the method described above (put your *.pub to the authorized_keys).
That's the system /usr/sbin/sshd, which is OpenSSH_7.6, LibreSSL 2.6.2.
Below is a log of such a session, from OpenBSD 6.3 to MacOS 10.13.6.
Post by James
hell 40 years experience using unix and I have and do do many many
I'm sure you do do.
Post by James
Post by Jan Stary
What port?
actually openssh which works everywhere ( where works == password-less login NB nothing to do with pass-phrase) does not work on high sierra
In the current port tree, that's OpenSSH 7.6p1r5 (right?).
Have you tried the same with the system OpenSSH?
Have you tried with the OpenSSH port built upon the LibreSSL port,
as opposed to the OpenSSL port? What is the difference?
Post by James
Post by Jan Stary
Post by James
i usually copy the public key by hand, but I also used ssh-copy-id
from 1_mac to another
from 1_mac to itself
from 1_mac to a plethora of linux machines and virtual machines
1_mac cannot login passwd-less to another.
To another what?
The original post made clear I called the first mac "mac-1"
and the second mac “another"
What happens when you try a 10.13.6 server with a different client?
Post by James
Post by Jan Stary
Post by James
1_mac CAN login to the linux boxes passwdless
The logs show nothing of interest
Well, there must be a message about what failed with the keys, right?
Post by James
Umm I’m confused. I see a password prompt not a shell prompt. I see too public_key auth failed wthi error 51 before password auth gets tried
So show us the full -v -v log.
Post by James
I can see my suspition is not happening
which was blank pass phrase is not allowed.
That would be a restriction of the _client_ (which I doubt),
and the client log would surely say so.

Jan


***@box:~$ ssh -v -v fitbook
OpenSSH_7.8, LibreSSL 2.8.0
debug1: Reading configuration data /home/hans/.ssh/config
debug1: /home/hans/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "fitbook" port 22
debug2: ssh_connect_direct
debug1: Connecting to fitbook [192.168.11.8] port 22.
debug1: Connection established.
debug1: identity file /home/hans/.ssh/id_rsa type 0
debug1: identity file /home/hans/.ssh/id_rsa-cert type -1
debug1: identity file /home/hans/.ssh/id_dsa type -1
debug1: identity file /home/hans/.ssh/id_dsa-cert type -1
debug1: identity file /home/hans/.ssh/id_ecdsa type -1
debug1: identity file /home/hans/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/hans/.ssh/id_ed25519 type -1
debug1: identity file /home/hans/.ssh/id_ed25519-cert type -1
debug1: identity file /home/hans/.ssh/id_xmss type -1
debug1: identity file /home/hans/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
debug1: match: OpenSSH_7.6 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to fitbook:22 as 'hans'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-***@openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-***@openssh.com,rsa-sha2-512-cert-***@openssh.com,rsa-sha2-256-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: ciphers stoc: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: MACs ctos: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,***@openssh.com,zlib
debug2: compression stoc: none,***@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: ciphers stoc: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: MACs ctos: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,***@openssh.com
debug2: compression stoc: none,***@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-***@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-***@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:8nCwT07dWP68CTuDdS1g2O6vIhfpxCU9Y5cqY7N415k
debug1: Host 'fitbook' is known and matches the ECDSA host key.
debug1: Found key in /home/hans/.ssh/known_hosts:62
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/hans/.ssh/id_rsa (0x7121b82aa80)
debug2: key: /home/hans/.ssh/id_dsa (0x0)
debug2: key: /home/hans/.ssh/id_ecdsa (0x0)
debug2: key: /home/hans/.ssh/id_ed25519 (0x0)
debug2: key: /home/hans/.ssh/id_xmss (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:v9EQjf6ESD7ppCQMn5IfsI49i5uF5EuVg9zNFFDnz/c /home/hans/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:v9EQjf6ESD7ppCQMn5IfsI49i5uF5EuVg9zNFFDnz/c
debug1: Authentication succeeded (publickey).
Authenticated to fitbook ([192.168.11.8]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-***@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-***@openssh.com want_reply 0
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Mon Sep 3 21:08:23 2018 from 192.168.11.3
fitbook:~ hans$ uname -a
Darwin fitbook.stare.cz 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64
fitbook:~ hans$ which sshd
/usr/sbin/sshd
Jan Stary
2018-09-03 21:14:54 UTC
Permalink
Post by Jan Stary
Password-less login to 10.13.6 works for me just fine,
with the method described above (put your *.pub to the authorized_keys).
That's the system /usr/sbin/sshd, which is OpenSSH_7.6, LibreSSL 2.6.2.
Below is a log of such a session, from OpenBSD 6.3 to MacOS 10.13.6.
Same works between MacOS 10.13.6 and 10.6.8, both ways,
with system's /usr/sbin/sshd, and the password-less keys
generated on the respective client machine (-v -v logs below).

The newer one is OpenSSH_7.6p1, LibreSSL 2.6.2,
the older one is OpenSSH_5.2p1, OpenSSL 0.9.8y.

Jan


***@fitbook:~$ uname -a
Darwin fitbook.stare.cz 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64
***@fitbook:~$ ssh -v -v -i /tmp/k mac
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to mac port 22.
debug1: Connection established.
debug1: identity file /tmp/k type 0
debug1: key_load_public: No such file or directory
debug1: identity file /tmp/k-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to mac:22 as 'hans'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-***@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-***@openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ssh-ed25519-cert-***@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: ciphers stoc: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: MACs ctos: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,***@openssh.com,zlib
debug2: compression stoc: none,***@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: MACs ctos: hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,***@openssh.com
debug2: compression stoc: none,***@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-***@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-***@openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1523/3072
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:fPcAjDC3WUy9KVBsWONitKsuO9P7vdnRBMa+if0NdRw
debug1: Host 'mac' is known and matches the RSA host key.
debug1: Found key in /Users/hans/.ssh/known_hosts:36
debug2: bits set: 1507/3072
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /tmp/k (0x7f8a55405f00), explicit
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:SqLNtMcBiEftcLpjHnT0r073TNmMm+uMutAMeUUoNao /tmp/k
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:SqLNtMcBiEftcLpjHnT0r073TNmMm+uMutAMeUUoNao
debug1: Authentication succeeded (publickey).
Authenticated to mac ([192.168.33.9]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-***@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 5 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_MONETARY = C
debug2: channel 0: request env confirm 0
debug1: Sending env LC_NUMERIC = C
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MESSAGES = C
debug2: channel 0: request env confirm 0
debug1: Sending env LANG = C
debug2: channel 0: request env confirm 0
debug1: Sending env LC_CTYPE = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_TIME = C
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Mon Sep 3 23:04:43 2018 from fitbook.stare.cz
?1034hmac:~ hans$ uname -a
Darwin mac.stare.cz 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386



***@mac:~$ uname -a
Darwin mac.stare.cz 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386
***@mac:~$ ssh -v -v -i /tmp/key 192.168.33.8
OpenSSH_5.2p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.33.8 [192.168.33.8] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /tmp/key type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
debug1: match: OpenSSH_7.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: kex_parse_kexinit: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: kex_parse_kexinit: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 160/320
debug2: bits set: 1036/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.33.8' is known and matches the RSA host key.
debug1: Found key in /Users/hans/.ssh/known_hosts:25
debug2: bits set: 975/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /tmp/key (0x100132c20)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /tmp/key
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: fp 34:2a:2f:ad:51:50:7d:8b:c1:16:cf:23:1d:98:97:f3
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-***@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-***@openssh.com want_reply 0
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Mon Sep 3 23:01:07 2018 from 192.168.33.9
?1034hfitbook:~ hans$ uname -a
Darwin fitbook.stare.cz 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64
James
2018-09-03 13:58:39 UTC
Permalink
System Settings -> Sharing -> Remote Access
...or something close to that will dis/enable native sshd in OSX (not on my laptop, so may be a wee bit imprecise).
Hi All
since I’ve been unable to solve passwd-less login on High Sierra I installed port openssh.
All good except I have two daemons waiting on port 22. I can easily find the LaunchDaemon for openssh but I cannot fathom how apple run their ssh daemon, or even what it is called.
I miss linux’s netstat -anp.
Bill thanks, obvious answer
Richard thanks for teaching me stuff about lsof

James
James
2018-09-04 14:24:25 UTC
Permalink
Post by Jan Stary
Post by James
Jan I must assume that you have never done a password-less login
to a high sierra machine and the tone of your questions betrays that.
Password-less login to 10.13.6 works for me just fine,
with the method described above (put your *.pub to the authorized_keys).
That's the system /usr/sbin/sshd, which is OpenSSH_7.6, LibreSSL 2.6.2.
Below is a log of such a session, from OpenBSD 6.3 to MacOS 10.13.6.
Post by James
hell 40 years experience using unix and I have and do do many many
I'm sure you do do.
Post by James
Post by Jan Stary
What port?
actually openssh which works everywhere ( where works == password-less login NB nothing to do with pass-phrase) does not work on high sierra
In the current port tree, that's OpenSSH 7.6p1r5 (right?).
Have you tried the same with the system OpenSSH?
Have you tried with the OpenSSH port built upon the LibreSSL port,
as opposed to the OpenSSL port? What is the difference?
Post by James
Post by Jan Stary
Post by James
i usually copy the public key by hand, but I also used ssh-copy-id
from 1_mac to another
from 1_mac to itself
from 1_mac to a plethora of linux machines and virtual machines
1_mac cannot login passwd-less to another.
To another what?
The original post made clear I called the first mac "mac-1"
and the second mac “another"
What happens when you try a 10.13.6 server with a different client?
Post by James
Post by Jan Stary
Post by James
1_mac CAN login to the linux boxes passwdless
The logs show nothing of interest
Well, there must be a message about what failed with the keys, right?
Post by James
Umm I’m confused. I see a password prompt not a shell prompt. I see too public_key auth failed wthi error 51 before password auth gets tried
So show us the full -v -v log.
Post by James
I can see my suspition is not happening
which was blank pass phrase is not allowed.
That would be a restriction of the _client_ (which I doubt),
and the client log would surely say so.
Thanks to every one for suggestions and help. I’ll stop abusing the list <smile>

I have two machines upgraded to high sierra (that did work once upon a time)
and one clean install (the machine was formatted ext4 and ran linux). None work!

for interest

[haycorn] /Users/jam [263]% ls -lR .ssh
total 40
-rw------- 1 jam staff 1014 3 Sep 19:08 authorized_keys
-rw-r--r-- 1 jam staff 130 4 Sep 2017 config
-rw------- 1 jam staff 1679 17 Feb 2018 id_rsa
-rw-r--r-- 1 jam staff 398 17 Feb 2018 id_rsa.pub
-rw-r--r-- 1 jam staff 2342 7 Oct 2016 known_hosts

[haycorn] /Users/jam [264]% cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Nq44JqKYYGNHMzotos6xmDkeI/2KVKIWcEz36TXqJsZxms39HuTpky5lP56gDnmXdBe8fSDi6ZJbSONZ5sMmS8XG0QqxDQufJIuoQrmgGXFhE8jcrbPAixGhX5fmBOPgFa5JgWDD9caYhpbxTfl2GoAu6Pe0u7paCaMyxD9KNAMk8oBzfkQFU3KMiK+0rB+/UI5lEyAJLCPW2WzFlF8N5iBjocvoDqx2slATfjKPx85VrdS5hVjKHcJjlpgEJ4a5+fcjlpAq/A2AKEQbzXfK1Tpb5PtyhRTIhjDufCZbgSdZlRC8fnm/iDXkwWDmkwCVYhyPAy5P4ecPpihzP6hF ***@twill

[haycorn] /Users/jam [265]%

To high sierra

[twill] /Users/jam [230]% ssh -vv haycorn.home
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/jam/.ssh/config
debug1: /Users/jam/.ssh/config line 2: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 49: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to haycorn.home port 22.
debug1: Connection established.
debug1: identity file /Users/jam/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to haycorn.home:22 as 'jam'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-***@openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: ciphers stoc: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: MACs ctos: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,***@openssh.com,zlib
debug2: compression stoc: none,***@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: ciphers stoc: chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@openssh.com,aes256-***@openssh.com
debug2: MACs ctos: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.com,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,***@openssh.com
debug2: compression stoc: none,***@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-***@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-***@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:0ZZ3WRiXJp6ucXm5k6X9Zz19kwpXLpYvYFiayZ+K0mk
debug1: Host 'haycorn.home' is known and matches the ECDSA host key.
debug1: Found key in /Users/jam/.ssh/known_hosts:9
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /Users/jam/.ssh/id_rsa (0x7f877a700850)
debug2: key: /Users/jam/.ssh/id_dsa (0x0)
debug2: key: /Users/jam/.ssh/id_ecdsa (0x0)
debug2: key: /Users/jam/.ssh/id_ed25519 (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/jam/.ssh/id_dsa
debug1: Trying private key: /Users/jam/.ssh/id_ecdsa
debug1: Trying private key: /Users/jam/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
***@haycorn.home's password:

-------------------------------------------------------------------------
The relevant part to another machine
—————————————————————————————————————
...
debug1: rekey after 134217728 blocks
debug2: key: /Users/jam/.ssh/id_rsa (0x7fb4d5f01360)
debug2: key: /Users/jam/.ssh/id_dsa (0x0)
debug2: key: /Users/jam/.ssh/id_ecdsa (0x0)
debug2: key: /Users/jam/.ssh/id_ed25519 (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug1: Authentication succeeded (publickey).
Authenticated to sandypit.home ([192.168.5.33]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-***@openssh.com
debug1: Entering interactive session.
debug1: pledge: exec
debug1: client_input_global_request: rtype hostkeys-***@openssh.com want_reply 0
debug2: channel_input_open_confirmation: channel 0: callback start
debug1: No xauth program.
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: fd 5 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_AU.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Tue Sep 4 19:51:13 2018 from 192.168.5.61
Have a lot of fun...
[sandypit] /home/jam [587]%


So I’ll carefully read all the replies
James
Jan Stary
2018-09-05 06:08:30 UTC
Permalink
Post by James
[twill] /Users/jam [230]% ssh -vv haycorn.home
[versions match etc]
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/jam/.ssh/id_dsa
debug1: Trying private key: /Users/jam/.ssh/id_ecdsa
debug1: Trying private key: /Users/jam/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
This doesn't tell anything. (Also try with -v -v -v).
What does the log say on the server side?

Before, you mentioned "error 51".
Nothing like that is here.
Post by James
The relevant part to another machine
What machine is that?
Is it the same version of sshd?
Is it configured the same?
Post by James
debug1: rekey after 134217728 blocks
debug2: key: /Users/jam/.ssh/id_rsa (0x7fb4d5f01360)
debug2: key: /Users/jam/.ssh/id_dsa (0x0)
debug2: key: /Users/jam/.ssh/id_ecdsa (0x0)
debug2: key: /Users/jam/.ssh/id_ed25519 (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug1: Authentication succeeded (publickey).
Authenticated to sandypit.home ([192.168.5.33]:22).
What is the difference between what this server says in the logs,
and what the previous server says in the logs?

Jan
Jan Stary
2018-09-05 06:25:03 UTC
Permalink
Just to be sure: as your ~/.ssh/authorized_keys only contains
this one pubkey, the file should be identical to the corresponding
~/.ssh/id_rsa.pub on the client side. Please verify that it is

haycorn$ cksum ~/.ssh/authorized_keys
twill$ cksum ~/.ssh/id_rsa.pub
Post by Jan Stary
Post by James
[twill] /Users/jam [230]% ssh -vv haycorn.home
[versions match etc]
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/jam/.ssh/id_dsa
debug1: Trying private key: /Users/jam/.ssh/id_ecdsa
debug1: Trying private key: /Users/jam/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
This doesn't tell anything. (Also try with -v -v -v).
What does the log say on the server side?
Before, you mentioned "error 51".
Nothing like that is here.
Post by James
The relevant part to another machine
What machine is that?
Is it the same version of sshd?
Is it configured the same?
Post by James
debug1: rekey after 134217728 blocks
debug2: key: /Users/jam/.ssh/id_rsa (0x7fb4d5f01360)
debug2: key: /Users/jam/.ssh/id_dsa (0x0)
debug2: key: /Users/jam/.ssh/id_ecdsa (0x0)
debug2: key: /Users/jam/.ssh/id_ed25519 (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug1: Authentication succeeded (publickey).
Authenticated to sandypit.home ([192.168.5.33]:22).
What is the difference between what this server says in the logs,
and what the previous server says in the logs?
Jan
James Linder
2018-11-11 05:37:53 UTC
Permalink
After lots of hunting I re-installed high sierra from scratch.
Public key DID work.
I slowly restored from a time machine backup until it stopped working.

The culprit was .ssh directory.
I put the working .ssh dir back and copied my id’s and config to the working .ssh dir. Public key still worked.

Using ls -l and ignoring ACLs the working and non working dirs and files look identical (content and permissions)

This smacks of Schrödinger's cat

James

Lots of noise about public key login ...
Post by Jan Stary
Password-less login to 10.13.6 works for me just fine,
with the method described above (put your *.pub to the authorized_keys).
That's the system /usr/sbin/sshd, which is OpenSSH_7.6, LibreSSL 2.6.2.
Below is a log of such a session, from OpenBSD 6.3 to MacOS 10.13.6.
Post by James
hell 40 years experience using unix and I have and do do many many
I'm sure you do do.
Post by James
Post by Jan Stary
What port?
actually openssh which works everywhere ( where works == password-less login NB nothing to do with pass-phrase) does not work on high sierra
In the current port tree, that's OpenSSH 7.6p1r5 (right?).
Have you tried the same with the system OpenSSH?
Have you tried with the OpenSSH port built upon the LibreSSL port,
as opposed to the OpenSSL port? What is the difference?
Post by James
Post by Jan Stary
Post by James
i usually copy the public key by hand, but I also used ssh-copy-id
from 1_mac to another
from 1_mac to itself
from 1_mac to a plethora of linux machines and virtual machines
1_mac cannot login passwd-less to another.
To another what?
The original post made clear I called the first mac "mac-1"
and the second mac “another"
What happens when you try a 10.13.6 server with a different client?
Post by James
Post by Jan Stary
Post by James
1_mac CAN login to the linux boxes passwdless
The logs show nothing of interest
Well, there must be a message about what failed with the keys, right?
Post by James
Umm I’m confused. I see a password prompt not a shell prompt. I see too public_key auth failed wthi error 51 before password auth gets tried
So show us the full -v -v log.
Post by James
I can see my suspition is not happening
which was blank pass phrase is not allowed.
That would be a restriction of the _client_ (which I doubt),
and the client log would surely say so.
Thanks to every one for suggestions and help. I’ll stop abusing the list <smile>
I have two machines upgraded to high sierra (that did work once upon a time)
and one clean install (the machine was formatted ext4 and ran linux). None work!
for interest
[haycorn] /Users/jam [263]% ls -lR .ssh
total 40
-rw------- 1 jam staff 1014 3 Sep 19:08 authorized_keys
-rw-r--r-- 1 jam staff 130 4 Sep 2017 config
-rw------- 1 jam staff 1679 17 Feb 2018 id_rsa
-rw-r--r-- 1 jam staff 398 17 Feb 2018 id_rsa.pub
-rw-r--r-- 1 jam staff 2342 7 Oct 2016 known_hosts
[haycorn] /Users/jam [264]% cat .ssh/authorized_keys
[haycorn] /Users/jam [265]%
To high sierra
[twill] /Users/jam [230]% ssh -vv haycorn.home
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/jam/.ssh/config
debug1: /Users/jam/.ssh/config line 2: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 49: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to haycorn.home port 22.
debug1: Connection established.
debug1: identity file /Users/jam/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/jam/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to haycorn.home:22 as 'jam'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:0ZZ3WRiXJp6ucXm5k6X9Zz19kwpXLpYvYFiayZ+K0mk
debug1: Host 'haycorn.home' is known and matches the ECDSA host key.
debug1: Found key in /Users/jam/.ssh/known_hosts:9
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /Users/jam/.ssh/id_rsa (0x7f877a700850)
debug2: key: /Users/jam/.ssh/id_dsa (0x0)
debug2: key: /Users/jam/.ssh/id_ecdsa (0x0)
debug2: key: /Users/jam/.ssh/id_ed25519 (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/jam/.ssh/id_dsa
debug1: Trying private key: /Users/jam/.ssh/id_ecdsa
debug1: Trying private key: /Users/jam/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
-------------------------------------------------------------------------
The relevant part to another machine
—————————————————————————————————————
...
debug1: rekey after 134217728 blocks
debug2: key: /Users/jam/.ssh/id_rsa (0x7fb4d5f01360)
debug2: key: /Users/jam/.ssh/id_dsa (0x0)
debug2: key: /Users/jam/.ssh/id_ecdsa (0x0)
debug2: key: /Users/jam/.ssh/id_ed25519 (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug1: Authentication succeeded (publickey).
Authenticated to sandypit.home ([192.168.5.33]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: pledge: exec
debug2: channel_input_open_confirmation: channel 0: callback start
debug1: No xauth program.
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: fd 5 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_AU.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Tue Sep 4 19:51:13 2018 from 192.168.5.61
Have a lot of fun...
[sandypit] /home/jam [587]%
So I’ll carefully read all the replies
James
James Linder
2018-09-06 03:40:41 UTC
Permalink
Hi All
Post by Jan Stary
What is the difference between what this server says in the logs,
and what the previous server says in the logs?
In my growing frustration I was quite rude to Jan. Humble appologies.

I was able to do password-less login to another High Sierra machine exactly as you would expect !!!

My only hint on my desktop machine is this

system.log:Sep 6 10:09:27 haycorn com.apple.xpc.launchd[1] (com.openssh.sshd.D2A41AA4-87E8-4832-8745-93B2D3AD3796[580]): Service exited with abnormal code: 255

As promised I’ll stop abusing the list, port openssh behaves exactly as the built in server.

Aa a final resort I may end up doing a re-install, with time machine to hold my hand.

Cheers
James

PS

Jan asked for and here is the tail of -vvv

….from my desktop to a mac that does accept passwd-less

debug2: key: /Users/jam/.ssh/id_rsa (0x7fdfbd4032c0)
debug2: key: /Users/jam/.ssh/id_dsa (0x0)
debug2: key: /Users/jam/.ssh/id_ecdsa (0x0)
debug2: key: /Users/jam/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug3: sign_and_send_pubkey: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to ws111 ([192.168.5.111]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-***@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-***@openssh.com want_reply 0
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 5 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk /Users/jam/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug3: sign_and_send_pubkey: RSA SHA256:/FjP5L3Grrw1P4KXIq5SsfkEy5RWhmeVehgG5+8k5rk
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to ws111 ([192.168.5.111]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-***@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-***@openssh.com want_reply 0
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 5 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Sep 6 10:07:47 2018 from 192.168.5.31
[pussycat] /Users/mary [501]%


from that machine back to me

debug2: key: /Users/mary/.ssh/id_rsa (0x7f9cffd16f40)
debug2: key: /Users/mary/.ssh/id_dsa (0x0)
debug2: key: /Users/mary/.ssh/id_ecdsa (0x0)
debug2: key: /Users/mary/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/mary/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/mary/.ssh/id_dsa
debug3: no such identity: /Users/mary/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/mary/.ssh/id_ecdsa
debug3: no such identity: /Users/mary/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/mary/.ssh/id_ed25519
debug3: no such identity: /Users/mary/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
Jan Stary
2018-09-06 06:47:39 UTC
Permalink
Post by James Linder
Post by Jan Stary
What is the difference between what this server says in the logs,
and what the previous server says in the logs?
I was able to do password-less login to another High Sierra machine
exactly as you would expect !!!
Yes, we already know that.

What we don't know is why it doesn't work on this one machine.
Post by James Linder
My only hint on my desktop machine is this
"Desktop machine"? This is a log from "haycorn",
which previously was the sshd _server_, right?
Post by James Linder
system.log:Sep 6 10:09:27 haycorn com.apple.xpc.launchd[1] (com.openssh.sshd.D2A41AA4-87E8-4832-8745-93B2D3AD3796[580]): Service exited with abnormal code: 255
This is system.log, saying that the sshd launched by launchd exoted with 255.
Show us the sshd log itself, as verbose as possible, which says what failed.
Post by James Linder
As promised I’ll stop abusing the list,
port openssh behaves exactly as the built in server.
No. The oepnssh port is linked (by default) with OpenSSL.
The built in OpenSSH suite uses the system LibreSSL.
Post by James Linder
….from my desktop to a mac that does accept passwd-less
[A successful login to yet another machine not mentioned before.]
Post by James Linder
from that machine back to me
Aaaargh. Another login of a different user,
with a different key, from a different machine.

Can you stick to the one failing case?
You are making it quite hard to help you.
Post by James Linder
debug2: key: /Users/mary/.ssh/id_rsa (0x7f9cffd16f40)
debug2: key: /Users/mary/.ssh/id_dsa (0x0)
debug2: key: /Users/mary/.ssh/id_ecdsa (0x0)
debug2: key: /Users/mary/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
Is this the "error 51" you mentioned before?

What exactly is the chmod of the $HOME, $HOME/.ssh/ and
$HOME/.ssh/authorized_keys of the target user on the remote side?

Jan
Post by James Linder
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/mary/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/mary/.ssh/id_dsa
debug3: no such identity: /Users/mary/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/mary/.ssh/id_ecdsa
debug3: no such identity: /Users/mary/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/mary/.ssh/id_ed25519
debug3: no such identity: /Users/mary/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Loading...