On 3 Sep 2018, at 1:04 (-0400), James wrote:
Hi All
since I’ve been unable to solve passwd-less login on High Sierra I
installed port openssh.
All good except I have two daemons waiting on port 22.
Which is, of course, not possible.
Apple's SSH suite in High Sierra is OpenSSH_7.6p1, linked against
LibreSSL 2.6.2. Launchd runs it in a sort of inetd emulation mode;
launchd owns the port 22 listener and launches sshd as needed (via a
'wrapper' which assures that host keys exist) with the '-i' option.
This of course is mostly not relevant for outbound ssh. The version of
ssh and its crypto library could be relevant, but the daemon's rigging
is not.
I can easily find the LaunchDaemon for openssh but I cannot fathom how
apple run their ssh daemon, or even what it is called.
The functional daemon (doing SSH) is sshd, but the operational daemon
(always running and holding the TCP port 22 listener) is launchd. The
service is started by /System/Library/LaunchDaemons/ssh.plist.
I miss linux’s netstat -anp.
Apple's netstat has a man page you might find illuminating. (HINT: try
its '-v' option)
The reasons that SSH ends up asking for a password when you think it
should just use an unencrypted or agent-loaded key are pretty limited
and mixed between server and client:
1. Server doesn't support keys at all.
2. ~/.ssh/authorized_keys on the server does not exist or has the wrong
contents.
3. ~/.ssh or ~/.ssh/authorized_keys (or, less often, ~/ or its parent
or grandparent) on the server has permissions too loose for sshd to
trust.
4. Server and client can't negotiate a key exchange protocol or usable
key type due to divergent versions, crypto libraries, or configs.
5. ~/.ssh/ on the client does not contain a usable unencrypted private
key and the ssh-agent on the client isn't running or has not loaded a
usable key.
6. /etc/ssh/ssh_config and/or ~/.ssh/config on the client has settings
that prevent key use.
It is generally impossible to tell the difference between these without
diagnostics from 'ssh -v' (or -vv or -vvv) and logs from the server
capturing 'auth' and/or 'authpriv' messages and/or audit logs from tools
like SELinux.
The only client-side differences you should get from installing the
MacPorts openssh package are:
1. Linked against OpenSSL instead of LibreSSL, so a more "complete"
coverage of obscure and obsolete crypto algorithms.
2. Uses a different default config (/opt/local/etc/ssh/ssh_config) which
may vary from Apple's defaults.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
