I've been performing some trial and error and can't seem to give any of my users SSH access. My administrator account works fine, but no other account can connect. It seems to be this way regardless of which services I give the user from "Server Preferences" and even if I give them "Administer this Server" access. What's the trick here?
I don't have any direct answers for you, but I may be able to point you somewhere that does. Check out this article on setting up ssh access on a Leopard server. Hope it helps.
[SSH with Leopard|http://blog.robseaman.com/2008/11/30/ssh-with-leopard]
I took a quick look at that article and it looks like it addresses the OS X client... I'm hoping to find some clear instructions on how to enable SSH for users on the OS X Server side.
I don't get it... I can use Cyberduck to SFTP to my server fine if I use the administrator account, but if I use either of two user accounts (with all the settings the same as when I connect as the administrator except the username and password) I get a password failed message from both Cyberduck and OS X Server.
Here's the log from OS X Server, you can see the first and second users trying to login and ultimately getting "Failed password..." even though I'm definitely using the correct passwords. Finally you see me logging in as the administrator and for some reason we see "Accepted password..."
Sep 16 09:42:38 myservername sshd[77825]: /etc/sshd_config line 75: Unsupported option KerberosGetAFSToken
Sep 16 09:42:38 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating credential for user firstusername
Sep 16 09:42:38 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating shared credential for user firstusername
Sep 16 09:42:38 myservername com.apple.SecurityServer[37]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Sep 16 09:42:38 myservername sshd[77825]: Failed password for firstusername from 10.0.1.1 port 45988 ssh2
Sep 16 09:43:12 myservername sshd[77855]: /etc/sshd_config line 75: Unsupported option KerberosGetAFSToken
Sep 16 09:43:13 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating credential for user secondusername
Sep 16 09:43:13 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating shared credential for user secondusername
Sep 16 09:43:13 myservername com.apple.SecurityServer[37]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Sep 16 09:43:13 myservername sshd[77855]: Failed password for secondusername from 10.0.1.1 port 41965 ssh2
Sep 16 09:43:52 myservername sshd[77874]: /etc/sshd_config line 75: Unsupported option KerberosGetAFSToken
Sep 16 09:43:52 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating credential for user administrator
Sep 16 09:43:52 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating shared credential for user administrator
Sep 16 09:43:52 myservername com.apple.SecurityServer[37]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Sep 16 09:43:52 myservername sshd[77874]: Accepted password for administrator from 10.0.1.1 port 38438 ssh2
Sep 16 09:43:52 myservername sshd[77881]: subsystem request for sftp
Yes, "Remote Login (SSH)" checkbox in Server Admin is checked. I left the "Access" alone so it still shows the SSH service allows access by "all users or groups."
I don't think there is anything relevant different about the users? I created them in Server Preferences. I guess they don't have a check in "Allow user to administer this server" if that is somehow relevant? I'm pretty sure I already tried checking that though during one of my tests and it made no difference.
The users can access their mail accounts fine on the server using their short names and passwords. No strange networking stuff going on, I'm actually doing all this testing on the same switch.
I just noticed something that may be related to this issue... the only user that can login to my OS X Server (10.5.8) locally is "administrator." All the other accounts I've created for myself and my users that work fine for remote connections (mail and iCal basically) do not work for simply logging into the server when I'm sitting at it locally. The login screen just bounces around when I type the correct short names and passwords.
Is there some privilege or group I need to add to new users so they can login to the server locally? And maybe that will allow SSH access?
are these other users setup with network homes? do they actually have homedirs?
it looks like a kerberos issue. i think you explicitly need to pass an option with ssh to use kerberos logins. something like this: ssh server.domain.com -o GSSAPIAuthentication=yes
of course, verify you have a kerberos ticket on the client side before trying that.
there are other references to this in these forums.
I don't think I use Kerberos... it shows "Stopped" in Server Admin and I'm not sure why I would need it. I used the standard setting (I think that was the option anyway) when I first installed OS X Server.
I used Server Preferences to create the user accounts. I guess it doesn't setup home folders for new users? All my users show "/var/empty" under Workgroup Manager/Home. Login Shell is set for /usr/bin/false.
I'll try setting a home folder and a login shell and see if SSH starts working. Maybe Server Preferences isn't a good tool for creating accounts?
Ok, setting a shell and home folder worked! SSH and SFTP are working great. I'm surprised (ok, at this point not really) that the Server Preferences didn't ask me about this stuff during the account creation.