no longer quite OT
macportsusers-20171215 at billmail.scconsult.com
Mon Sep 3 17:39:54 UTC 2018
On 3 Sep 2018, at 1:04 (-0400), James wrote:
> Hi All
> since I’ve been unable to solve passwd-less login on High Sierra I
> installed port openssh.
> All good except I have two daemons waiting on port 22.
Which is, of course, not possible.
Apple's SSH suite in High Sierra is OpenSSH_7.6p1, linked against
LibreSSL 2.6.2. Launchd runs it in a sort of inetd emulation mode;
launchd owns the port 22 listener and launches sshd as needed (via a
'wrapper' which assures that host keys exist) with the '-i' option.
This of course is mostly not relevant for outbound ssh. The version of
ssh and its crypto library could be relevant, but the daemon's rigging
> I can easily find the LaunchDaemon for openssh but I cannot fathom how
> apple run their ssh daemon, or even what it is called.
The functional daemon (doing SSH) is sshd, but the operational daemon
(always running and holding the TCP port 22 listener) is launchd. The
service is started by /System/Library/LaunchDaemons/ssh.plist.
> I miss linux’s netstat -anp.
Apple's netstat has a man page you might find illuminating. (HINT: try
its '-v' option)
The reasons that SSH ends up asking for a password when you think it
should just use an unencrypted or agent-loaded key are pretty limited
and mixed between server and client:
1. Server doesn't support keys at all.
2. ~/.ssh/authorized_keys on the server does not exist or has the wrong
3. ~/.ssh or ~/.ssh/authorized_keys (or, less often, ~/ or its parent
or grandparent) on the server has permissions too loose for sshd to
4. Server and client can't negotiate a key exchange protocol or usable
key type due to divergent versions, crypto libraries, or configs.
5. ~/.ssh/ on the client does not contain a usable unencrypted private
key and the ssh-agent on the client isn't running or has not loaded a
6. /etc/ssh/ssh_config and/or ~/.ssh/config on the client has settings
that prevent key use.
It is generally impossible to tell the difference between these without
diagnostics from 'ssh -v' (or -vv or -vvv) and logs from the server
capturing 'auth' and/or 'authpriv' messages and/or audit logs from tools
The only client-side differences you should get from installing the
MacPorts openssh package are:
1. Linked against OpenSSL instead of LibreSSL, so a more "complete"
coverage of obscure and obsolete crypto algorithms.
2. Uses a different default config (/opt/local/etc/ssh/ssh_config) which
may vary from Apple's defaults.
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
More information about the macports-users