You would not get a password prompt unless you were talking to an sshd daemon on the other end. No port forwarding is needed on the local system. Port forwarding allows the outside world in. It has nothing to do with letting the inside world out.
Experiment 1
ssh username@localhost
this will log into yourself.
Experiment 2 - getting more diagnostic information out of ssh
ssh -vvv username@remote.system.address
This is going to spit out a log of debugging information. Look at it carefully and see if you can identify why you are being rejected.
Next, go to the remote system and look in /var/log/system.log (you can do this from Applications -> Utilities -> Console, or from a terminal session on the remote system).
Finally, does the remote system have its Firewall enabled? I suspect not, as you were able to talk to the sshd daemon, but check anyway.
it will be more verbose and may show at which point the login fails.
Also what is running the ssh server? if it is a mac running leopard check it in the sharing preferences that the account name is added to the 'allow only these users' section.
I tried the verbose login with the following results:
joel:~ joelwork$ ssh -vvv user@hostip
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to hostip port 22.
debug1: Connection established.
debug1: identity file /Users/joelwork/.ssh/identity type -1
debug1: identity file /Users/joelwork/.ssh/id_rsa type -1
debug1: identity file /Users/joelwork/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2
MSGKEXINIT sent
debug1: SSH2
MSGKEXINIT received
debug2: kex
parsekexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex
parsekexinit: ssh-rsa,ssh-dss
debug2: kex
parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex
parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex
parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex
parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex
parsekexinit: none,zlib@openssh.com,zlib
debug2: kex
parsekexinit: none,zlib@openssh.com,zlib
debug2: kex
parsekexinit:
debug2: kex
parsekexinit:
debug2: kex
parsekexinit: first
kexfollows 0
debug2: kex
parsekexinit: reserved 0
debug2: kex
parsekexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex
parsekexinit: ssh-rsa,ssh-dss
debug2: kex
parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex
parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex
parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex
parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex
parsekexinit: none,zlib@openssh.com
debug2: kex
parsekexinit: none,zlib@openssh.com
debug2: kex
parsekexinit:
debug2: kex
parsekexinit:
debug2: kex
parsekexinit: first
kexfollows 0
debug2: kex
parsekexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2
MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2
MSG_KEX_DH_GEXGROUP
debug2: dh
genkey: priv key bits set: 143/256
debug2: bits set: 515/1024
debug1: SSH2
MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2
MSG_KEX_DH_GEXREPLY
debug3: check
host_inhostfile: filename /Users/joelwork/.ssh/known_hosts
debug3: check
host_inhostfile: match line 1
debug3: check
host_inhostfile: filename /Users/joelwork/.ssh/known_hosts
debug3: check
host_inhostfile: match line 4
debug1: Host 'hostip' is known and matches the RSA host key.
debug1: Found key in /Users/joelwork/.ssh/known_hosts:1
debug2: bits set: 534/1024
debug1: ssh
rsaverify: signature correct
debug2: kex
derivekeys
debug2: set_newkeys: mode 1
debug1: SSH2
MSGNEWKEYS sent
debug1: expecting SSH2
MSGNEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2
MSGNEWKEYS received
debug1: SSH2
MSG_SERVICEREQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2
MSG_SERVICEACCEPT received
debug2: key: /Users/joelwork/.ssh/identity (0x0)
debug2: key: /Users/joelwork/.ssh/id_rsa (0x0)
debug2: key: /Users/joelwork/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod
isenabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/joelwork/.ssh/identity
debug3: no such identity: /Users/joelwork/.ssh/identity
debug1: Trying private key: /Users/joelwork/.ssh/id_rsa
debug3: no such identity: /Users/joelwork/.ssh/id_rsa
debug1: Trying private key: /Users/joelwork/.ssh/id_dsa
debug3: no such identity: /Users/joelwork/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod
isenabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input
userauth_inforeq
debug2: input
userauth_inforeq: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input
userauth_inforeq
debug2: input
userauth_inforeq: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input
userauth_inforeq
debug2: input
userauth_inforeq: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod
isenabled password
debug1: Next authentication method: password
user@hostip password:
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Permission denied, please try again.
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Permission denied, please try again.
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
Received disconnect from hostip: 2: Too many authentication failures for motd
joel:~ joelwork$
It appears that everything runs 'fine' until the password. It attempts other authentication methods first but is happy to attempt 'password' in the end.
With the remote machine being Tiger..ssh is v1.99 whereas my local machine is v2.0. Does this have a bearing?
The remote machine is abroad so I can't get the logs from that end easily...
Does the server have something like denyhosts installed?
Also it would be best if your configured /etc/sshd_config to use public keys only. This would negate the need for password authentication and make your ssh connections more secure and not vulnerable to brute force attacks.
You should also turn off authentication protocols you don't use in the sshd_config.
As you don't have access to the server right now this is a problem.
I can ssh into a Tiger mac from a leopard mac over the internet so this rules out a ssh compatibility issue.
I could get my colleague to email me his config file to edit here and send it back. Very unlikely to have denyhosts installed. How would I go about setting up a public key?
aha if your colleague can follow some instructions then you may be in luck
first of all I would delete your current .ssh directory on your mac so when you create a public and private key it will make a clean setup.
open your terminal and issue the following command
rm -rf ~/.ssh
press enter
copy paste the command into your terminal if your like.
Then issue the following command
ssh-keygen -b 1024 -t dsa
# When prompted for a location save the key, press enter to use the default location.
# When prompted for a passphrase, press return twice. this will create a key that has no passphrase associated with it.
Your mac will now create a public and private key.
now issue the following command
cp ~/.ssh/id_dsa.pub ~/Desktop/
the file id_dsa.pub should now appear on your desktop
email that file to your colleague
Then your colleague needs to login to your account on the server. If they copy r id_dsa.pub file to the desktop they can then open the terminal and issue the following command
