no longer quite OT

Bill Cole macportsusers-20171215 at billmail.scconsult.com
Mon Sep 3 17:39:54 UTC 2018 

On 3 Sep 2018, at 1:04 (-0400), James wrote:

> Hi All
> since I’ve been unable to solve passwd-less login on High Sierra I 
> installed port openssh.
>
> All good except I have  two daemons waiting on port 22.

Which is, of course, not possible.

Apple's SSH suite in High Sierra is OpenSSH_7.6p1, linked against 
LibreSSL 2.6.2. Launchd runs it in a sort of inetd emulation mode; 
launchd owns the port 22 listener and launches sshd as needed (via a 
'wrapper' which assures that host keys exist) with the '-i' option.

This of course is mostly not relevant for outbound ssh. The version of 
ssh and its crypto library could be relevant, but the daemon's rigging 
is not.

> I can easily find the LaunchDaemon for openssh but I cannot fathom how 
> apple run their ssh daemon, or even what it is called.

The functional daemon (doing SSH) is sshd, but the operational daemon 
(always running and holding the TCP port 22 listener) is launchd. The 
service is started by /System/Library/LaunchDaemons/ssh.plist.

> I miss linux’s netstat -anp.

Apple's netstat has a man page you might find illuminating. (HINT: try 
its '-v' option)

The reasons that SSH ends up asking for a password when you think it 
should just use an unencrypted or agent-loaded key are pretty limited 
and mixed between server and client:

1. Server doesn't support keys at all.
2. ~/.ssh/authorized_keys on the server does not exist or has the wrong 
contents.
3. ~/.ssh or ~/.ssh/authorized_keys (or, less often,  ~/ or its parent 
or grandparent) on the server has permissions too loose for sshd to 
trust.
4. Server and client can't negotiate a key exchange protocol or usable 
key type due to divergent versions, crypto libraries, or configs.
5. ~/.ssh/ on the client does not contain a usable unencrypted private 
key and the ssh-agent on the client isn't running or has not loaded a 
usable key.
6. /etc/ssh/ssh_config and/or ~/.ssh/config on the client has settings 
that prevent key use.

It is generally impossible to tell the difference between these without 
diagnostics from 'ssh -v' (or -vv or -vvv) and logs from the server 
capturing 'auth' and/or 'authpriv' messages and/or audit logs from tools 
like SELinux.

The only client-side differences you should get from installing the 
MacPorts openssh package are:

1. Linked against OpenSSL instead of LibreSSL, so a more "complete" 
coverage of obscure and obsolete crypto algorithms.
2. Uses a different default config (/opt/local/etc/ssh/ssh_config) which 
may vary from Apple's defaults.

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole

More information about the macports-users mailing list